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ABSTRACT 


This  dissertation  investigates  correlation  immunity,  avalanche  features,  and  the  bent  cryp¬ 
tographic  properties  for  generalized  Boolean  functions  defined  on  V„  with  values  in  7Lq. 
We  extend  the  concept  of  correlation  immunity  from  the  Boolean  case  to  the  generalized 
setting,  and  provide  multiple  construction  methods  for  order  1  and  higher  correlation  im¬ 
mune  generalized  Boolean  functions.  We  establish  necessary  and  sufficient  conditions  for 
generalized  Boolean  functions.  Additionally,  we  discuss  correlation  immune  and  rotation 
symmetric  generalized  Boolean  functions,  introducing  a  construction  method  along  the 
way.  Using  a  graph-theoretic  and  probabilistic  frame  of  reference,  we  subsequently  es¬ 
tablish  several,  increasingly  stringent,  strict  avalanche  criteria  along  with  a  construction 
method  for  generalized  Boolean  functions.  We  introduce  the  notion  of  a  uniform  avalanche 
criterion  and  demonstrate  that  generalized  Boolean  functions  that  satisfy  this  criterion  are 
also  order  1  correlation  immune  and  always  have  Boolean  function  components  that  are 
both  order  1  correlation  immune  and  satisfy  the  strict  avalanche  criterion.  We  subsequently 
investigate  linear  structures,  directional  derivatives  and  define  a  unit  vector  gradient  for 
generalized  Boolean  function.  We  introduce  the  Walsh-Hadamard  transform  of  a  general¬ 
ized  Boolean  function  along  with  the  notion  of  generalized  bent  Boolean  functions.  We 
provide  a  construction  of  generalized  bent  Boolean  functions  with  outputs  in  and  estab¬ 
lish  necessary  conditions  for  generalized  bent  Boolean  functions. 
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Executive  Summary 


The  Nation  that  makes  a  great 
distinction  between  its  scholars  and  its 
warriors  will  have  its  thinking  done  by 
cowards  and  its  fighting  done  by  fools. 

Thucydides4^ 

This  dissertation  investigates  cryptographic  properties  of  generalized  Boolean  functions. 
Generalized  Boolean  functions,  /:¥„—)■  Z9,  are  functions  from  the  vector  space  of  binary 
vectors  of  length  n  to  a  ring  of  integers  modulo  q.  The  classical  Boolean  case,  where  q  —  2, 
has  been  studied  extensively.  Such  Boolean  functions  are  frequently  used  as  components  in 
cryptographic  algorithms.  Much  less  is  currently  known  about  the  generalized  case,  where 
q  >  2.  From  a  cryptologist’s  point  of  view,  generalized  Boolean  functions  show  promise  in 
a  number  of  cryptographic  applications,  including  those  in  the  quantum  environment. 

In  this  dissertation  we  investigate  correlation  immunity,  avalanche  features,  and  the  bent 
property  of  generalized  Boolean  functions.  We  extend  the  concept  of  correlation  immu¬ 
nity  to  the  generalized  setting  and  establish  several  new  results  for  correlation  immune 
generalized  Boolean  functions.  We  present  several  algorithms  for  the  construction  of  or¬ 
der  1,  higher  order,  concatenated,  and  rotation  symmetric  correlation  immune  generalized 
Boolean  functions.  We  also  establish  necessary  and  sufficient  conditions  for  correlation  im¬ 
mune  generalized  Boolean  functions.  Doing  so  is  important  because  generalized  Boolean 
functions  suitable  for  cryptographic  applications  must  not  only  be  correlation  immune,  but 
all  of  their  constituent  Boolean  function  components  must  also  be  correlation  immune.  Us¬ 
ing  a  graph-theoretic  and  probabilistic  frame  of  reference,  we  then  investigate  avalanche 
features  of  generalized  Boolean  functions.  We  establish  several,  increasingly  stringent, 
avalanche  criteria  for  generalized  Boolean  functions.  This  line  of  investigation  culminates 
in  the  development  of  the  uniform  avalanche  criterion  (UAC).  We  demonstrate  that  gener¬ 
alized  Boolean  functions  that  satisfy  the  UAC  are  also  order  1  correlation  immune  and  con¬ 
tain  Boolean  function  components  all  of  which  are  order  1  correlation  immune  and  satisfy 
the  strict  avalanche  criterion  (SAC).  We  investigate  linear  structures  and  directional  deriva- 


xv 


tives  of  UAC  compliant  generalized  Boolean  functions.  We  also  introduce  and  demonstrate 
the  utility  of  the  concept  of  a  uniform  generalized  Boolean  function  unit  vector  gradient. 
Finally,  we  present  a  selection  of  results  on  generalized  bent  Boolean  functions  taken  from 
the  dissertation  author’s  previously  published  papers  on  the  topic.  In  particular,  we  in¬ 
troduce  the  Walsh-Hadamard  transform  of  generalized  Boolean  functions,  and  define  the 
concept  of  a  generalized  bent  Boolean  function.  We  subsequently  provide  a  construction  of 
generalized  bent  Boolean  functions  with  outputs  in  Zs,  and  establish  necessary  conditions 
for  generalized  bent  Boolean  functions. 
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CHAPTER  1: 

Introduction 


He  who  loves  practice  without  theory 
is  like  the  sailor  who  boards  ship 
without  a  rudder  and  compass  and 
never  knows  where  he  may  cast. 

Leonardo  da  Vinci  W 


1.1  Background 

Functions  /:¥„—>•  F2  from  the  vector  space  V„  of  all  binary  vectors  of  length  n,  to  the 
finite  field  of  two  elements  are  known  as  Boolean  functions.  These  functions  are  essential 
components  in  modem  cryptography  and  error  correction  codes.  As  such,  they  have  been 
the  subject  of  intense  study  for  the  past  50  years,  and  much  is  therefore  known  about  them. 
In  contrast,  much  less  is  understood  about  generalized  Boolean  functions  from  the  vector 
space  V„  of  all  binary  vectors  of  length  n,  to  TLq,  where  q>  2.  Yet,  these  functions  also  show 
great  promise  of  utility  in  future  information,  communications,  and  defense  technologies. 

The  goal  of  this  research  has  been  to  increase  our  understanding  of  generalized  Boolean 
functions  which  satisfy  certain  cryptographic  properties.  Specifically,  generalized  Boolean 
functions  which  are  correlation  immune  or  satisfy  strict  avalanche  criteria.  As  our  starting 
point,  we  use  existing  Boolean  functions  research  and  then  attempt,  where  possible,  to 
extend  these  results  into  the  more  general  setting.  Much  of  Boolean  function  research  has  a 
tendency  to  be  highly  theoretical;  while  some  of  this  research  inevitably  will  follow  suit,  we 
have,  whenever  possible,  tried  to  supply  the  reader  with  a  generous  number  of  examples  as 
well  as  a  fair  number  of  algorithms  with  which  they  can  go  about  constructing  the  functions 
under  consideration. 


1 


1.2  Contributions 

This  dissertation  makes  the  following  contributions  to  the  study  of  generalized  Boolean 
functions: 


•  We  define  the  algebraic  normal  form  (ANF)  of  a  generalized  Boolean  function  and 
demonstrate  a  method  of  deriving  the  ANF  using  the  function’s  truth  table. 

•  Given  function  parameters  n  and  q,  we  provide  respective  counts  for  the  number  of 
balanced  and  symmetric  generalized  Boolean  functions  in  n  variables  with  output 
values  in  Z?. 

•  We  present  several  theorems  regarding  nontrivial  binomial  bisections,  and  provide  a 
complete  list  of  all  binomial  bisection  solutions  for  n  <  51. 

•  We  extend  the  concept  of  correlation  immunity  from  the  Boolean  case  to  the  gener¬ 
alized  setting. 

•  We  provide  an  algorithm  with  which  to  construct  a  large  class  of  correlation  immune 
(order  1)  generalized  Boolean  functions. 

•  Using  linear  orthogonal  arrays  we  demonstrate  a  method  of  creating  higher  order 
correlation  immune  generalized  Boolean  functions. 

•  We  extend  and  prove  a  generalized  version  of  the  Siegenthaler  correlation  immune 
Boolean  function  construction  method,  whereby  two  correlation  immune  (order  t) 
generalized  Boolean  functions  in  n  variables  are  combined  to  create  a  correlation 
immune  (order  t)  generalized  Boolean  function  i n  n  +  1  variables. 

•  We  establish  necessary  and  sufficient  conditions  which  ensure  that  both  a  general¬ 
ized  Boolean  function  as  well  as  its  Boolean  function  components  are  all  correlation 
immune. 

•  We  investigate  correlation  immune  and  rotation  symmetric  generalized  Boolean 
functions  and  introduce  a  construction  method  for  such  functions. 

•  We  establish  an  upper  bound  for  the  number  of  rotation  symmetric  ( RotS )  general¬ 
ized  Boolean  functions,  and  prove  that  there  are  no  balanced  and  RotS  generalized 
Boolean  functions  in  p  variables  with  output  values  in  Zq,  for  odd  prime  p  and  q>2. 

•  Using  a  graph-theoretic  and  probabilistic  frame  of  reference,  we  establish  several, 
strict  avalanche  criteria  including  the  notion  of  a  uniform  avalanche  criterion  (UAC). 

•  We  prove  that  generalized  Boolean  functions  which  satisfy  the  uniform  avalanche 
criterion  are  also  order  1  correlation  immune. 


2 


•  We  prove  that  generalized  Boolean  functions  which  satisfy  the  uniform  avalanche 
criterion  have  Boolean  function  components  which  are  all  both  SAC  and  order  1 
correlation  immune. 

•  We  investigate  linear  structures  and  directional  derivatives  of  UAC-compliant  gener¬ 
alized  Boolean  function  and  introduce  the  concept  of  a  generalized  Boolean  function 
unit- vector  gradient. 

•  We  introduce  the  Walsh-Hadamard  transform  of  generalized  Boolean  functions,  and 
define  perfect  nonlinear  generalized  Boolean  functions  and  generalized  bent  Boolean 
functions. 

•  We  provide  a  construction  of  generalized  bent  Boolean  functions  in  n  variables  with 
output  values  in  Zg. 

•  We  further  establish  necessary  conditions  for  generalized  bent  Boolean  functions. 


1.3  Dissertation  Organization 

This  dissertation  is  divided  into  six  chapters  and  three  appendices.  In  addition  to  the  in¬ 
troductory  chapter  in  which  you  now  find  yourself,  the  remaining  chapters  are  laid  out 
as  follows.  Chapter  2  contains  definitions  and  preliminary  generalized  Boolean  function 
material.  This  is  followed  by  Chapters  3-5,  which  contain  the  bulk  of  the  dissertation  re¬ 
search,  including  all  major  results.  Chapter  3  deals  with  correlation  immune  generalized 
Boolean  functions,  whereas  Chapter  4  tackles  strict  avalanche  criteria.  Chapter  5  contains 
a  brief  overview  of  the  generalized  bent  property  along  with  a  selection  of  results  taken 
from  the  this  author’s  previously  published  papers  on  this  topic.  Chapter  6  includes  the 
dissertation  conclusion  along  with  a  short  discussion  of  follow-on  research  possibilities. 
This  is  followed  by  three  appendices,  the  two  first  of  which  include  a  list  of  nontrivial  bi¬ 
nomial  bisections  along  with  the  Julia  parallel  computer  search  program  which  generated 
the  results.  The  final  appendix  includes  a  list  of  a  few  linear  orthogonal  arrays  suitable  for 
construction  of  higher  order  correlation  immune  generalized  Boolean  functions. 
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CHAPTER  2: 

Basic  Properties  of  Generalized  Boolean  Functions 


Sic  Parvis  Magna 

Sir  Francis  Drake 

In  this  chapter  we  begin  by  covering  some  basic  definitions  and  properties  which  we  will 
make  use  of  throughout  this  dissertation. 

2.1  Preliminaries 

In  a  similar  manner  to  what  was  done  in  [44],  we  will  throughout  this  dissertation  use  the 
following  definitions:  We  denote  the  set  of  integers,  real  numbers  and  complex  numbers 
by  Z,  M  and  C,  respectively.  We  further  denote  the  ring  of  integers  modulo  q  by  TLq.  The 
vector  space  V„,  sometimes  alternatively  referred  to  as  F'j,  is  the  space  of  all  n- tuples  x  = 
(xn , . . . , ,r  i )  of  elements  from  F2  with  the  standard  operations.  By  “+”  we  denote  addition 
over  Z,  M  and  C,  whereas  “©”  denotes  addition  over  V„  for  all  n>  1.  Addition  modulo  q  is 
denoted  by  “+”  and  it  is  understood  from  the  context.  If  x  =  (x„ , . . . ,  a  1 )  and  y  =  (y„ , . . . ,  y  1 ) 
are  in  ¥„,  we  define  the  scalar  (or  inner)  product  by  x  ■  y  =  a „yn  ©  •  •  •  ©  A2V2  ©  xiy  1 .  The 
cardinality  of  the  set  S  is  denoted  by  |S|,  and  the  conjugate  of  a  bit  b  will  be  denoted  by 
b.  If  z  =  a  +  bi  G  C,  then  |z|  =  \/a2  +  b2  denotes  the  absolute  value  of  z,  and  z  =  a  — bi 
denotes  the  complex  conjugate  of  z,  where  i2  =  —1,  and  a,b  e  M.  The  concatenation  of 
two  vectors  x  and  y  is  denoted  x||y.  Additionally,  as  in  [1 1],  we  use  the  Landau  symbol  ()’ 
with  its  usual  meaning,  that  is,  F  —  0(G)  means  \F(x)  \  <  c|G(jc)|  holds  for  some  positive 
constant  c,  and  x  sufficiently  large. 

Definition  2.1.  A  function  from  Y„  to  F2  is  called  a  Boolean  function.  The  algebra  of  all 
Boolean  functions  on  V„  is  denoted  by  SSn  [11]. 

Definition  2.2.  We  call  a  function  from  Yn  to  TLq,  where  q  is  a  positive  integer  such  that  q  > 
2,  a  generalized  Boolean  function  on  n  variables  [42].  We  denote  the  set  of  such  functions 
by  S$qn.  If  q  —  2,  we  obtain  the  previously  defined  classical  Boolean  functions  [44]. 
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For  a  given  n,  there  are  a  total  of  2n  possible  Boolean  input  vectors,  each  of  which  can 
in  turn  be  mapped  to  q  possible  outputs.  Therefore  the  total  number  of  Boolean  functions 
is  \S$n\  —  22",  whereas  the  total  number  of  generalized  Boolean  functions  is  =  q2" . 

Given  the  fact  that  these  formulae  are  double-exponential,  the  number  of  possible  functions 
quickly  becomes  astronomical  even  for  input  vectors  of  relatively  modest  dimensions.  For 
example,  given  input  vectors  of  size  n  =  7  and  output  values  in  Z5,  the  number  of  gener¬ 
alized  Boolean  functions  is  ~  2.94  x  1089.  By  comparison,  the  number  of  atoms  in 

the  observable  universe  is  estimated  to  be  between  1078  and  1082. 

As  was  done  in  [44],  for  any  function  /  e  SSqn  and  2k~l  <  q  <  2k,  we  associate  a  unique 
sequence  of  Boolean  functions  a,-  G  £&n  (i  =  0, 1 , . . . ,  k  —  1)  such  that 

/(x)  =  ao(x)  +  2ai(x)  4 - \-2k~lak-\{x),  forallxGV„.  (2.1) 

Definition  2.3.  A  generalized  Boolean  function  /(x)  in  n  variables  is  a  map  from  ¥„  to  Z?. 
In  a  manner  similar  to  that  in  [11],  the  q- ary  sequence  defined  by  (/(vo),/(vi),  •  •  .,/(v  2n-l)), 
where  Vo  =  (0, . . .  ,0,0),  Vi  =  (0, ...  ,0, 1), . . .  ,V2»-t  =  (1, . . . ,  1, 1)  is  denoted  by  /  and  is 
called  the  truth  table  of  /(x). 


Definition  2.4.  The  Hamming  weight  of  a  vector  x  =  x\---xn  (often  written  as  x  = 
(xi, . . .  ,jc„)),  denoted  by  wt(x),  is  the  number  of  nonzero  x,,  where  x-,  e  Z?  [26].  The 
Hamming  weight  of  a  function  /(x)  is  the  Hamming  weight  of  its  truth  table  [11]. 


Definition  2.5.  Given  two  q- ary  vectors,  x  and  y  of  length  n.  the  Hamming  distance  be¬ 
tween  the  two  vectors,  denoted  d(x,y),  is  the  number  of  indices  where  their  values  differ. 
Similarly,  the  Hamming  distance  between  two  n-variable  functions  /(x)  and  g(x),  denoted 
d  (/,  g)  is  defined  as  the  number  of  indices  for  which  their  truth  tables  differ. 
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2.2  The  Algebraic  Normal  Form  for  Generalized  Boolean 
Functions 


Definition  2.6.  [11]  Let  /  e  38 n  be  a  Boolean  function  and  let  i  =  (;'| ....  ,in)  and 

x1  :=  •  •  •  xl" .  The  Boolean  function  /  is  expressed  in  Algebraic  Normal  Form  in  the 

following  manner: 


/(x)  -  ©crx\ 

(=0 

where  c,  e  F2  and  i  e  V„,  is  the  lexicographically  ordered  binary  expansion  of  index  i. 


Example  2.7.  Consider  the  Boolean  function  /(x)  =  x\  ®  X2V3  C0X4.  Using  the  above  defi¬ 
nition  it  can  be  represented  in  ANF  as: 


/Yvl  —  0.  r0r0  0  Om  1  .  rlr000  ...ml  .  r0rlrlr0( 
j  yxj  — vj  ^  1  ^  ^  vt7  i  < 


1  •  XyX^xl  ( 


)  0  ■ 


Building  upon  this,  we  now  define  the  Algebraic  Normal  Form  for  generalized  Boolean 
functions  as  follows: 

Definition  2.8.  Let  /  e  38qn  be  a  generalized  Boolean  function  such  that  /(x)  =  a o(x)  + 

2a  i(x)  -| - b2A:-1(7£_i(x),  where  2k~l  <q<  2k.  Let  j  =  (j  i, . .  ,,jn)  andxJ  :—x\lxJ^  ■  ■  -xj". 

We  then  define  the  Algebraic  Normal  Form  of  /  in  the  following  manner: 

k-i  (2n—\ 

/(*)  =  E  2'  ©  coxJ 

*=0  V  7=0 

where  cj  e  F2,  j  €  V„  is  the  lexicographically  ordered  binary  expansion  of  index  j,  and  the 
summation  is  carried  out  modulo  2k. 

It  is  relatively  straightforward  to  recognize  the  existence  and  uniqueness  of  the  ANF  repre¬ 
sentation  of  generalized  Boolean  functions  by  considering  the  following:  First,  each  vector, 
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v  e  Y„,  utilized  in  the  ANF  is  unique  and  establishes  a  surjective  map  between  Yn  and  £3n. 
Secondly,  since  |V„|  =  2",  the  power  set  of  ¥„  has  cardinality  &(Yn)\  =  22"  =  \38n\.  Fi¬ 
nally,  the  binary  expansion  of  any  integer  q  is  unique.  Given  the  ANF  of  a  generalized 
Boolean  function  /,  we  can  create  the  truth  table  of  the  function  by  simply  using  the  ANF 
and  evaluating,  in  turn,  each  of  the  2”  lexicographically  ordered  input  vectors.  In  order  to 
proceed  in  the  opposite  direction  and  transform  a  truth  table  into  an  ANF  expression,  we 
first  perform  a  binary  expansion  of  each  q- ary  entry  in  the  truth  table,  thereby  creating  mul¬ 
tiple  binary  truth  tables,  one  for  each  respective  2k  component  of  /,  where  0  <  k  <  log2  q . 
Subsequently  we  perform  the  divide-and-conquer  butterfly  algorithm  (see  the  description  of 
Carlet  in  [7])  on  each  of  the  constituent  binary  truth  tables  and  produce  the  corresponding 
2 -associated  ANF  components  of  the  generalized  Boolean  function. 


Example  2.9.  Suppose  we  want  to  find  the  ANF  for  a  function,/  e  (Y  with  the  truth 
table  /  =  02032012.  We  begin  by  finding  the  binary  truth  tables  ao  and  a\  associated  with 
2°  and  21  respectively  by  performing  a  binary  expansion  of  /: 


/ 

a0 

Cl\ 

0 

0 

0 

2 

0 

1 

0 

0 

0 

3 

1 

1 

2 

0 

1 

0 

0 

0 

1 

1 

0 

2 

0 

1 

Having  done  so,  we  then  apply  the  following  algorithm  to  each  of  the  binary  truth  tables. 
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Algorithm  1  TT  to  ANF  (Butterfly  algorithm)  -  see  [7] 

1:  Write  the  truth-table  of  /,  in  which  the  binary  vectors  of  length  n  are  in  lexicographic 
order. 

2:  Let  /o  be  the  restriction  of  /  to  F'^1  x  {0}  and  f\  the  restriction  of  /  to  1  x  {1}. 
The  truth-table  of  /o  (resp.  f\ )  corresponds  to  the  upper  (resp.  lower)  half  of  the  table 
of  /;  replace  the  values  of  f\  by  those  of  /o  ©  f\ 

3:  Apply  recursively  step  2,  separately  to  the  functions  now  obtained  in  the  places  of  fo 
and  /, . 

4:  The  algorithm  terminates  when  it  arrives  at  functions  on  one  variable  each.  At  this 
point  the  global  table  gives  the  values  of  the  ANF  of  /. 


For  a®  this  yields  the  following. 


ao 

ANF 

0 

0 

0 

fo 

0 

0 

fo 

0 

fo 

0 

fi 

0 

0 

0 

h 

0 

fo 

0 

1 

1 

1 

fi 

1 

0 

0 

0 

fo 

0 

0 

h 

0 

fo 

0 

fl 

0 

1 

1 

fl 

1 

fo 

1 

0 

1 

1 

fl 

0 

Reading  off  the  ANF  column  we  recover  the  2°-associated  ANF-component  of  /: 


r/o(x)  =  0  ■  XJV9.V3  ©  0  ■  vjvjjvjj  ©  0  •  x^xlx®  ©  1  •  vjv^v® 

©  0  •  .V1.V2.V3  ©  0  ■  vJ.V2.V3  ©  1  •  V1.V2.V3  ©  0  •  v}v9V3 . 


Proceeding  in  a  similar  manner  for  a\  yields: 
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a\ 

ANF 

0 

0 

0 

fo 

0 

1 

/o 

i 

fo 

1 

h 

1 

0 

0 

fi 

0 

fo 

0 

1 

i 

0 

h 

0 

1 

i 

1 

fo 

1 

0 

h 

i 

fo 

1 

h 

0 

0 

0 

h 

1 

fo 

1 

1 

0 

1 

h 

0 

Cl\  (x)  =  0  ■  xjx^X^  ©  1  •  x\x2.x®  ©  0  •  X^X^Xj  ©  0  ■  xjx^x® 


©  1  •  *1*2X3  ©  0  ■  x  1*2X3  ©  1  •  X1X9X3  ©  0  ■  X3X9X3 . 


Finally,  assembling  both  ANF  components  we  recover  the  ANF  for  our  generalized 
Boolean  function, 

/(x)  =  0  •  *1*2*3  ©  0  ■  *] *2*3  ©  0  ■  *1X9X3  ©  1  •  *1*9X3  ©  0  •  *1*2*3 

©  0  ■  *1*2*3  ©  1  '  *1*2*3  ©  0  '  *|*2X3  +  2(0  •  *1*2*3  ©  1  '  *1*2*3  ©  0  ■  *1*2*3 
©  0  ■  *1X2*3  ©  1  •  *1*2*3  ©  0  ■  *1*9*3  ©  1  •  *1*2*3  ©  0  •  *1*2*3)  • 


The  complexity  of  computing  the  truth  table  from  the  ANF  of  a  Boolean  function  /  e  3§n, 
is  &(n2n).  The  complexity  of  the  butterfly  algorithm  is  also  f?{n2n)  [7].  Therefore,  the 
complexity  of  computing  the  ANF  from  the  truth  table  of  a  generalized  Boolean  function 
/  G  SSqn  (or  vice  versa),  as  described  above,  is  ^([log2<?]/72"). 

In  a  similar  manner  as  was  done  for  Boolean  functions  in  [11],  we  define  the  algebraic 
degree  and  homogeneity  of  generalized  Boolean  function  as  follows: 

Definition  2.10.  Given  a  generalized  Boolean  function  /  e  -J^qv  we  define  the  algebraic 
degree  d°f  to  be  the  number  of  variables  in  the  highest  order  monomial  with  nonzero 
coefficients  in  the  ANF  of  /. 

Note  that  defining  the  degree  of  general  Boolean  functions  in  this  manner  is  possible  due 
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to  the  existence  and  uniqueness  of  the  ANF,  which  we  previously  demonstrated. 

Definition  2.11.  A  generalized  Boolean  function  /  e  c£  £8qn  is  said  to  be  homogeneous  if 
all  of  the  terms  in  its  ANF  are  of  the  same  degree. 

Seen  from  the  ANF  perspective,  the  simplest  Boolean  functions  are  those  that  are  linear  or 
affine  (linear  function  plus  a  constant).  These  functions  have  d°f  =  1  and  are  of  the  form: 

/(x)  =  wpq  ©  W2X2  ©  •  •  •  ©  wnxn  ©  wo. 

Letting  w  =  (wq, . . .  ,w„),x  =  (x\ , . . .  ,x„)  G  V„,  wo  €  F2  and  denoting  w  x,  the  usual  inner 
product,  we  can  write:  w  ■  x  =  w\X\  ©  W2X2  ©  •  •  •  ©  wnxn  and  /(x)  =  w  ■  x  ©  wq.  If  wq  =  0 
then  /  is  linear,  otherwise  /  is  affine. 

Definition  2.12.  We  denote  the  sets  of  all  77-variable  linear  and  affine  functions  as  and 
s4n,  respectively. 

Affine  functions  are  important  both  in  coding  theory  and  cryptography.  In  coding  theory 
affine  functions  play  a  key  role  in  Reed-Muller  codes  of  order  1,  whereas  in  cryptogra¬ 
phy  we  strive  to  avoid  using  affine  functions  and  select  instead  nonlinear  functions  whose 
(cryptographic)  behavior  is  as  far  as  possible  from  those  contained  in  .s/n  [7]. 

2.3  Fourier  Transforms  and  Generalized  Boolean  Func¬ 
tions 

Definition  2.13.  [44]  We  let  £  =  e27l,'q  be  the  complex  ^-primitive  root  of  unity.  To  each 
generalized  Boolean  function  /(x)  we  associate  its  character  form,  sometimes  also  referred 
to  as  the  sign  function  in  characteristic  2,  which  is  defined  as: 

/(*)  =  c/(x|- 

Notice  that  for  q  —  2,  this  reduces  to  the  familiar  Boolean  function  character  form: 

/«  =  (-!)/«. 


11 


Definition  2.14.  As  is  customary,  given  a  Boolean  function  /(x),  the  derivative  of  /(x) 
with  respect  to  a  vector  a,  denoted  by  Da/(x),  is  the  Boolean  function  defined  by: 


Da/(x)  =  /(x®a)®  /(x),  for  all  x  G 

Observe  that  if  /(x)  =  /(x  ©  a),  then  Da/(x)  =  0  whereas  if  /(x)  /(x  ©  a),  then 

Da/(x)  =  1.  Inasmuch,  £  Da/(x)  counts  the  number  of  input  vectors  which  result  in 

xeV„ 

changes  to  the  output  values  when  a  change  of  direction  of  a  is  applied,  and  can  therefore 
be  viewed  as  a  directional  derivative. 

Definition  2.15.  Given  a  generalized  Boolean  function  /(x),  we  define  the  derivative  Da/' 
of  /  with  respect  to  a  vector  a  to  be  the  generalized  Boolean  function  Da/(x)  by: 

Da/(x)  =  /(x©a)  — /(x)  for  all  x  G 

Definition  2.16.  Given  a  vector  a  G  ¥,„  we  say  a  is  a  linear  structure  of  a  generalized 
Boolean  function  /(x)  G  !ddq}V  if  the  derivative  of  /(x)  with  respect  to  a  remains  constant, 
that  is,  if  Daf(x)  =  Zq,  for  all  x  G  ¥„. 

Definition  2.17.  [44]  The  (normalized)  generalized  Walsh-Hadamard  transform  of  /  G 
S3qn  at  any  point  u  G  ¥„  is  the  complex  valued  function 

J#f(u)  =  2~5  £  C/(x)(-l)u'x- 

xe¥„ 

If  q  =  2,  we  obtain  the  (normalized)  Walsh-Hadamard  transform  of  /  G  d§n,  which  will  be 
denoted  by  Wf  [44]. 

Definition  2.18.  [44]  The  sum 

tff,g(z)=  £  ^/(x)-^(x® 2) 

xe¥f! 

is  the  crosscorrelation  of  /  and  g  at  z.  The  autocorrelation  of  /  G  SSqn  at  u  G  ¥„  is  fffji u) 
above,  which  we  denote  by  ^/(u). 
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2.4  Balance  and  Symmetry 

A  Boolean  function  /  €  is  balanced  if  its  output  values  are  uniformly  distributed. 
In  order  for  a  generalized  Boolean  function  to  be  balanced,  we  must  have  q  —  21  for  l  < 
n,  since  the  function’s  q  possible  output  values  must  be  evenly  distributed  among  its  2n 
outputs. 

Recall  that  a  Boolean  function  /  e  33  n  is  balanced  if  and  only  if  the  Hamming  weight  of 
its  truth  table  is  exactly  1  [11], 

Lemma  2.19.  If  a  generalized  Boolean  function  fix)  e  S3  n  is  balanced,  then  its  Ham¬ 
ming  weight  equals  1  2'1  =  2n  —  2"~  1 .  Notice  that  if  l  =  1,  this  reduces  to  the  Boolean 

function  case  where  the  weight  of  f  equals  2" 

Considering  Walsh-Hadamard  transforms  for  a  moment,  we  recall  from  [11]  that  a  Boolean 
function  /  is  balanced  if  and  only  if  the  Walsh-Hadamard  transform, 


Wf{  0)  =  0. 

In  the  generalized  Boolean  function  case,  we  can  say  the  following: 

Lemma  2.20.  If  a  generalized  Boolean  function  f  is  bcdanced,  then  the  generalized  Walsh- 
Hadamard  transform  of  f  is, 


2^—1  f  2*  _  i 

Hf( 0)  -  £  T~ly  =  p  =  0. 

7=0  ^  1 

The  reader  will  notice  that  unlike  in  the  classical  Boolean  functions  case,  the  preceding 
criteria  for  generalized  Boolean  functions  are  not  biconditional.  That  is,  if  a  generalized 
Boolean  function  is  balanced,  then  the  criteria  hold.  However,  for  t  >  1,  the  fact  that  a  gen¬ 
eralized  function  satisfies  the  Hamming  weight  or  Walsh-Hadamard  transform  conditions 
outlined  above  are  necessary,  but  not  sufficient  conditions  for  the  function  to  be  balanced. 
In  fact,  there  are  many  generalized  Boolean  functions  that  satisfy  these  criteria,  yet  fail  to 
be  balanced. 

t  k- 1 

Theorem  2.21.  A  generalized  Boolean  function  f  e  c,3  such  that  fix)  —  £  2  Jaj(x)for 

7=0 
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x  G  ¥„  is  balanced  if  and  only  if  all  of  its  Boolean  functions  Oj  are  balanced,  and  for  each 
j  and  h  such  that  0  <  j,  h  <  k  —  1  and  j  h,  d(aj,  a/,)  =  2'!_1. 

Proof  (=>)  Let  /  G  be  a  balanced  generalized  Boolean  function.  Consider  the 

set  of  2>:  binary  vectors  {cj) 2  which  correspond  to  the  unique  output  values  cj  G  /(¥„), 
0<j  <2e-l.  This  set  equals  Y2e,  which  is  balanced  with  respect  to  the  number  of  0’s 
and  l’s  it  contains.  Moreover,  for  each  column  Vy  and  \h  in  Y2e,  c/fv,.  V/,)  =  2‘  1 .  Since 
each  output  value  of  /  occurs  with  frequency  2,!~  ' .  this  means  that  each  function  aj  con¬ 
tains  n  —  £  copies  of  V2/,  thus  there  are  2"'  1  ■  2'  1  =  2"_1  0’s  and  2,!_1  l’s  and  for  all 
Boolean  functions,  aj  and  ah,  where  j  j  h,  c/(av.a/,)  =  2n~l. 

Let  B  —  {ao,ai,. . . , 1 }  be  a  collection  of  k  balanced  Boolean  functions  in  n  vari¬ 
ables,  such  that  for  all  j  and  h  such  that  0  <  j,h  <  k—  1  and  j  f  h.  J(a;-,a/,)  =  2W_1. 
Let  /  be  a  generalized  Boolean  function  /  e  constructed  using  B  such  that  /(x)  = 

£y^(x),  where  x  e  Consider  the  composite  truth  table  A  =[ao,ai, . . .  ,a*-_i].  A 
consists  of  2n  binary  row  vectors  of  length  k.  Each  Boolean  function  is  balanced  and  for 
any  two  distinct  column  vectors  (Boolean  functions)  in  A,  the  pairwise  distance  between 
them  is  2'!~  1 .  Thus,  it  must  be  the  case  that  all  vectors  in  Y2e  appear  in  A  with  frequency 
2n~( .  Considering  the  fact  that  /(x)  =  Y.kjZo^aj(x)  and  each  value  cy  G  /(¥„)  is  also  a 
binary  row  vector  in  A,  the  result  has  been  demonstrated.  ■ 


We  can  obtain  a  count  for  the  number  of  balanced  generalized  Boolean  functions  by  again 
considering  the  composite  truth  table  A  of  the  set  of  Boolean  functions  /  G  2sSn  .  Let 
bWdd~  represent  the  set  of  all  balanced  generalized  Boolean  functions.  There  are  (9n-i) 
ways  in  which  to  select  the  2'1-1  l’s  in  oq.  For  these  l’s,  half  of  the  corresponding  values 

('in—  1  \ 
2”~2) 

possible  ways  to  select  these  2”~  2  l'.v.  Additionally,  for  the  values  of  a\  corresponding  the 
remaining  0’s  in  ao,  half  must  be  l’s  and  half  must  be  0’s.  One  can  certainly  proceed  in 
a  similar  fashion  to  get  the  count,  or  alternatively,  observe  that  to  get  a  balanced  function, 
one  can  choose  2n~e  input  vectors  out  of  2"  to  assign  (via  /)  the  value  0;  next  choose  2n~( 
input  vectors  out  of  2n  —  2n~e  to  assign  the  value  1,  etc.  That  is, 


(2n~e\  f  2n 

l  2 n~^  J  l  2'7~^  2n~^  2n~e 
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the  multinomial  coefficient  with  equal  parts,  each  of  size  2"  . 

Definition  2.22.  A  generalized  Boolean  function  /  e  (.d  :'2dqn  is  called  symmetric  if  it  remains 
invariant  under  the  full  symmetric  group  Sn. 

The  task  of  constructing  symmetric  generalized  Boolean  functions  /  €  ^  SSqv  involves  par¬ 
titioning  V„  into  q  subsets,  each  of  which  contains  all  input  vectors  of  a  specific  Hamming 
weight.  These  q  subsets  are  subsequently  mapped  to  unique  values  from  7Lq.  The  number 
of  vectors  in  V„  with  a  given  Hamming  weight  h  is  {nh) ,  thus  the  cardinality  of  the  subsets 
within  the  partition  corresponds  to  the  set  of  binomial  coefficients. 

In  order  to  establish  exactly  how  many  such  functions  exist,  we  proceed  as  follows:  First, 
let  s(.f  SSqn  represent  the  total  number  of  symmetric  generalized  Boolean  functions  for 
given  n  and  q.  Stirling  numbers  of  the  second  kind,  denoted  {  1  },  count  the  number 

of  ways  we  can  partition  the  set  of  n  +  1  possible  weights  of  binary  input  vectors  of  length 
77  into  q  nonempty  sets.  These  q  nonempty  sets  must  subsequently  be  mapped  to  the  q 
possible  output  values,  which  can  be  arranged  in  q\  possible  ways.  Therefore, 


Theorem  2.23.  A  generalized  Boolean  function  f  €  <£  S3  n  such  that  /(x)  =  r/o(x)  + 
2(7 i(x)  +  •  •  •  +  2k  is  symmetric  if  and  only  if  each  of  the  Boolean  functions 

afx),i  <G  {0, 1, . . .  ,k  —  1},  is  symmetric. 

Proof  Let  /  €  P? S$n  ,  be  a  generalized  Boolean  function  such  that 

/(x)  =  a0(x)  T  2a i  (x)  4 - f  2k~xak-X  (x), 

cq  G  d$n ■  We  prove  the  claim  using  a  counting  argument.  If  a  generalized  Boolean  function 
(.d d/)qn  is  symmetric,  its  output  remains  constant  for  specific  weights  of  the  input  x.  There 
are  a  total  of  77  +  1  possible  weights  for  x.  To  each  of  these  weights,  we  have  q  possible 
output  values.  Thus  there  are  qn+1  symmetric  functions  in  ^ SSqv  If  q  —  2  ,  there  are 
2k(n+i)  symmetric  functions.  Since  /(x)  =  ao(x)  +  2r/i(x)  -| - \-2k~] ak_  \  (x),  we  also  see 
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that  that  there  are  2n+1  possible  symmetric  Boolean  functions  for  each  a,  and  a  total  of 
2("^ 1  )k  possibilities.  These  two  counts  agree  and  our  claim  is  thus  proved.  ■ 

The  question  of  when  a  Boolean  function  /  €  is  both  symmetric  and  balanced  is  inter¬ 
esting.  Such  functions  can  only  exist  in  the  cases  where  one  is  able  to  partition  (bisect)  the 
binomial  coefficients  into  two  subsets  each  of  sum  2”_1.  Although  not  the  main  topic  of 
this  dissertation,  we  provide  a  few  remarks  regarding  the  subject  here  due  to  the  disserta¬ 
tion  author’s  involvement  in  this  research  [27]. 


Letting  E/Lo (”)  =  0,  where  <5,  e  {—1,1},  we  can  represent  [5o,  as 

a  solution  to  the  bisection  problem.  By  the  binomial  theorem,  E/(— 1)"(")  = 
(1  —  1)"  =  0,  hence  d=[l,  —  1, 1,  —  1,. ..]  is  always  a  solution.  Moreover,  observe 
that  if  n  is  odd  then  [5o,  •  •  • ,  §(n-i)/2>  •  •  •  >  —  5o]  with  <5,  G  {  —  1, 1}  ar¬ 

bitrary  chosen,  produces  2^”+1^//2  solutions.  These  are  referred  to  as  trivial 
solution.  Additional,  nontrivial  bisections  occur  sporadically.  Letting  Jn  repre¬ 
sent  the  set  of  bisection  solutions  for  a  given  n,  we  have  the  following  theorem: 

Theorem  2.24.  [27]  If  p  is  a  prime  number,  then  Jp-  \  —  2. 


Proof.  The  statement  is  obviously  true  if  p  =  2,  so  we  may  assume  that  p  is 
an  odd  prime.  We  let  n  =  p  —  1  and  observe  that  n  =  —1  (mod  p).  We  want 
to  show  that  (”)  =  (— 1);  (mod  p),  for  every  j  €  {0, 1, . . .  ,n}.  This  is  clearly 
true  for  j  —  0.  Since,  every  j  e  { 1 }  has  an  inverse  modulo  p,  we  have 
for  j  e 


j ! 

(  —  !)(— 2) ' ' '  (~  1  ~  J  +  1) 
./! 


(— l)-7  (mod  p). 


Hence,  if  [5o, . . . ,  5„]  a  solution  of  the  bisection  problem  is 

0=±8j  (mod  P)» 

7=0  V-7/  7=0 
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but  the  number 


A  :=  ^  (— l)J5j  =  0  (mod  p) 
j= o 

is  an  odd  number  (n  +  1  =  p  is  an  odd  prime)  satisfying 

|A|<£l(-iy«;l  =  £l=»+l=p.  (2.2) 

1-0  1-0 

Because  A  cannot  be  zero,  the  only  possible  values  of  A  are  p  or  —p.  Then  the 
equality  |A|  =  p  =  n  +  1  in  (2.2),  forces  Sj  —  ±(— 1  )7,  for  all  j.  Therefore,  we 
have  only  the  two  trivial  solutions,  that  is,  Jn  =  2  [27].  ■ 

Using  the  Hamming  high  performance  computer  (HPC)  at  the  Naval  Postgraduate  School, 
and  a  parallel  computer  program  written  in  Julia,  (see  appendix  A2),  we  were  able  to  ex¬ 
haustively  search  for  nontrivial  binomial  bisections  for  n  <  51  [27].  We  verified  the  com¬ 
putational  data  previously  provided  by  [10]  and  [21]  for  n  <  37,  and  obtained  additional 
results  for  37  <  n  <  5 1.  These  results  have  been  included  in  Appendix  A.  1  and  the  number 
of  nontrivial  solutions  appear  as  A200147  in  the  Online  Encyclopedia  of  Integer  Sequences. 

Looking  at  the  bisection  solution  data  in  appendix  A.  1  we  observed  some  additional  pat¬ 
terns.  Using  some  identities,  which  were  first  pointed  out  by  Jefferies  [21],  along  with 
solutions  to  diophantine  equations,  we  were  able  to  produce  some  infinite  classes  of  inte¬ 
gers  admitting  nontrivial  bisections.  We  present  the  following  from  our  research  without 
proof.  Additional  discourse  on  this  topic  along  with  the  proof  of  the  following  theorem  can 
be  found  in  the  paper  entitled  Bisecting  binomial  coefficients  which  recently  appeared  in 
the  journal  Discrete  Applied  Mathematics  [27]. 


Theorem  2.25.  [27]  The  following  hold: 

1.  Ifn  =  k2  —  2,  k  >  4  even,  then  Jn  >  10,  Jn- 1  >  +  2^  3  (tight). 

2.  Ifk  =  0,1  (mod  3)  and  n  =  Ua-+i+2F4A.  6,  ^  >  2+  +2^. 

3.  Let  n  =  4k2  +  16 k  +  13, k  >  0.  Then,  there  are  at  least  2^"+1^2-3 
nontrivial  bisections  for  the  binomial  coefficients  j  (")  j  ,  and  so, 

,  ^  ^  M+l  _  ft— 1 

Jn  ^  2  2  2  2  . 
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Based  on  related  search  data,  we  make  the  following  conjecture  regarding  the  impossibility 
of  further  sub-dividing  the  binomial  coefficients  into  equal  parts. 

Conjecture  2.26.  There  are  no  2k -sections  of  the  binomial  coefficients  for  k  >  1. 

Should  a  proof  of  this  conjecture  emerge,  it  would  mean  that  symmetric  and  balanced 
generalized  Boolean  functions  do  not  exist. 
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CHAPTER  3: 

Correlation  Immune  Generalized  Boolean  Functions 


The  Devil  is  in  the  details,  but  so  is 
salvation. 

Hyman  G.  Rickover  **** 


3.1  Introduction 

Siegenthaler  first  described  the  correlation  attack  in  1984  [40].  This  type  of  known  plain¬ 
text  attack  provides  cryptanalysts  with  a  method  of  attacking  stream  ciphers  which  are 
generated  using  multiple  Linear  feedback  shift  registers  (LFSRs)  and  a  nonlinear  combiner 
which  is  plagued  by  a  poorly  chosen  Boolean  function.  Correlation  attacks  involve  careful 
examination  of  input  vectors  and  their  associated  functional  outputs  in  order  to  determine 
whether  the  value  of  a  single  bit,  or  the  values  of  a  subsets  of  bits  in  the  input  vector  excert 
greater  influence  over  the  output  than  others.  If  this  is  the  case,  attackers  can  use  this  in¬ 
formation  to  surmize  something  about  the  structure  of  the  underlying  Boolean  function  as 
well  as  the  outputs  of  the  LFSRs.  Cusick  and  Stanica  provide  an  example  of  such  a  poorly 
chosen  function  in  [11,  p.  58]  that  we,  for  illustrative  purposes,  provide  here. 

Example  3.1.  Consider  the  following  3-variable  Boolean  function  /(x)  =  X]X2  Q  a©©  © 
X2X3  and  its  associated  truth  table: 


Input 

000 

001 

010 

Oil 

100 

101 

110 

111 

Output 

0 

0 

0 

1 

0 

1 

1 

1 

To  determine  whether  or  not  the  value  of  a  single  input  bit  exerts  an  undue  influence  over 
the  output,  we  use  the  truth  table  and  compute  conditional  probabilities  for  each  bit  of  the 
input  vectors,  x.  For  example,  the  probability  that  the  first  bit  x\  is  0  given  the  fact  that  the 
function’s  output  equals  0  is 


Pr{x\  =  0|/(x)  =  0) 


Pr(x  1  =  0n/(x)  =  0) 
Pr(f(x)=  0) 


3/8 

4/8 


—  3/4. 
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Proceeding  similarly,  we  calculate  the  conditional  probabilities  for  each  of  the  remaining 
possibilities  and  obtain  the  results  listed  in  table  3.1. 


Table  3.1:  Conditional  probability  table  for  a  Boolean  function 


Conditional  Prob.  Given  /(x)  =  0 

Conditional  Prob.  Given  /(x)  =  1 

Pr(x  1  =  0  /(x)  =  0)  =  3/4 
Pr{x\  =  1  /(x)  =  0)  =  1/4 

Pr(x\  =  0  /(x)  =  1)  =  1/4 
Pr{x\  =  1  /(x)  =  1)  =  3/4 

Pr(x2  =  0  /(x)  =  0)  =  3/4 
Pr(x2  =  1  /(x)  =  0)  =  1/4 

Pr(x2  =  0  /(x)  =  1)  =  1/4 
Pr(x2  =  1  /(x)  =  1)  =  3/4 

Pr(*3  =  0|/(x)=0)  =  3/4 
Pr(*3  =  l|/(x)  =  0)  =  l/4 

Pr(x3=0|/(x)  =  l)  =  l/4 
Pr(x3  =  l|/(x)  =  l)  =  3/4 

Examining  the  table  we  see  that  if  the  function’s  output  is  zero,  the  probabilities  that  each 
respective  input  bit,  xi,X2,  and  X3,  equal  zero  are  all  .75.  From  a  cryptographic  perspective 
this  is  highly  undesirable!  Armed  with  this  information  and  known  plaintext,  an  adversary 
readily  obtains  information  about  the  outputs  of  the  LFSRs,  which  in  turn  can  be  used  to 
launch  an  attack  on  each  FFSR,  thereupon  recovering  the  keystream  of  the  system. 

To  avoid  this  unfortunate  situation,  we  need  to  be  more  circumspect  in  how  we  go  about 
choosing  our  Boolean  function.  To  be  in  a  position  to  select  more  wisely  we  initially  adopt 
a  "black  box"  view  of  the  problem  and  consider  input  vectors  and  the  output  values  to  which 
they  are  mapped.  We  partition  the  set  of  input  vectors  ¥„  into  two  sets  Vo  and  Vi,  such  that 
Vx  e  Vo,  /(x)  =  0  and  Vx  e  Vi,  /(x)  =  1.  Clearly,  in  order  to  not  give  away  any  information 
to  a  would-be-attacker,  for  i  —  1,2,3,  the  conditional  probabilities  for  all  x  e  Vo,  Pr(xj  — 
0|/(x)  =  0)  =  Pr{xi  =  l|/(x)  =  0)  =  1/2.  Consequently,  we  recognize  that  |Vo|  >  1.  If 
this  were  not  the  case,  the  output  value  0  would  appear  only  once  in  the  function’s  truth 
table  and  it  would  be  associated  with  a  single  input  vector  x.  This  in  turn  would  result  in  the 
probability  Pr(xj  —  0|/(x)  =  0),  for  each  respective  index,  i,  1  <  i  <  3,  being  equal  to  either 
1  or  0.  It  is,  however,  possible  for  |Vo|  to  equal  2  and  ensure  that  the  necessary  conditional 
probabilities  hold.  Partitioning  V„  using  complementary  input  vectors  we  can  construct 
a  Boolean  function  /  :  VM  — >•  F2  with  the  desired  conditional  probability  properties  we 
seek.  Partition  Vn  into  two  subsets,  So,  Si,  such  that  Vx  e  Sj,  x  e  Sj  and  /(x)  =  /(x)  =  j. 
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where  j  —  0, 1.  To  see  that  this  will  produce  the  desired  result,  consider  the  following:  For 
each  pair  of  vectors,  x,  x  e  Sj  and  each  bit  xy,  where  i  =  1 , 2  •  •  •  ,  n,  there  is  one  vector  where 
x,-  =  0  and  one  vector  where  xy  =  1 .  This  means  that  if  Sj  contains  m  pairs  of  complementary 
vectors,  then  for  each  i,  there  are  m  vectors  where  xy  =  0  and  m  vectors  where  xy  =  1,  which 
in  turn  yields 


Pr(Xi  =  0|/(x)  =  0)  =  Pr(xi  =  l|/(x)  =  0)  - 


m/2n  _  1 
2m  /  2"  _  2' 


Equipped  with  this  new-found  insight,  we  tailor  the  following  truth  table  for  our  new 
Boolean  function: 


Input 

000 

001 

010 

011 

100 

101 

110 

111 

Output 

1 

1 

1 

0 

0 

1 

1 

1 

Converting  the  truth  table  into  ANF  yields  the  Boolean  function  /(x)  =  1  ©X2X3  ©xi  © 
X1X3  ©X1X2.  We  subsequently  compute  the  conditional  probabilities  given  in  Table  3.2,  and 
verify  that  our  analysis  did  in  fact  render  a  Boolean  function  with  the  desired  properties. 

Table  3.2:  Conditional  probability  table  for  an  order  1  correlation  immune  Boolean  function 


Conditional  Prob.  Given  /(x)  =  0 

Conditional  Prob.  Given  /(x)  =  1 

Pr{x\  —  0|/(x)  =  0)  =  1/2 
Pr(x\  =  l|/(x)  =  0)  =  1/2 

Pr(xi  =  0|/(x)  =  1)  =  1/2 
Pr(x  t  =  l|/(x)  =  1)  =  1/2 

Pr(x2  =  0|/(x)  =  0)  =  1/2 
Pr(x2  =  l|/(x)  =  0)  =  1/2 

Pr(x2  =  0|/(x)  =  1)  =  1/2 
Pr(x2  =  l|/(x)  =  1)  =  1/2 

Pr{x3  =  0|/(x)  =  0)  =  1/2 
/V(.v3  ...  1 /(x)  •  0)-~  l/2 

Pr{x3  =  0|/(x)  =  1)  =  1/2 

Pr{x3  —  l|/(x)  =  1)  =  1/2 

The  function  which  we  constructed  above  is  referred  to  as  a  correlation  immune  (order  1) 
function.  Order  1  refers  to  the  fact  that  it  only  satisfies  the  conditional  probability  require¬ 
ments  for  a  single  bit.  It  is  of  course  possible  to  consider  larger  subsets  of  bits  in  the  input 
vectors  of  a  function.  In  the  above  case,  /  fails  in  multiple  instances  when  we  consider 
values  assignments  of  the  (2)  two  bit  subsets.  For  example, 

Pr(x  1  =  0,x3  =  0|/(x)  =  1)  =  ^  =  1/3. 
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Correlation  attacks  take  advantage  of  differences  in  the  conditional  probabilities  between 
subsets  of  input  vector  bits  and  the  associated  outputs  of  a  function.  Seen  from  this  "black 
box"  perspective,  it  is  of  little  consequence  whether  the  function’s  output  is  binary  or  a 
subset  of  values  from  some  other  ring  7Lq  (q  >  2).  If  a  cryptographer  hopes  to  render  a 
function  immune  to  this  adversarial  technique,  he  must  ensure  that  balanced  conditional 
probabilities  exist  for  all  values  of  the  image  of  /.  Thus  far,  we  have  considered  output 
values  c  £  Fo,  but  we  could  have  just  as  well  considered  the  output  values  c  £  Zq.  As 
such,  there  is  a  very  natural  extension  of  the  concept  of  correlation  immunity  into  the  do¬ 
main  of  generalized  Boolean  functions.  With  this  in  mind,  we  extend  Cusick  and  Stanica’s 
definition  of  correlation  immunity  from  [11,  p.  55]. 

Definition  3.2.  A  generalized  Boolean  function  /  £  (/d  d/)qn  is  said  to  be  correlation  immune 
of  order  t,  with  notation  CI(t),  1  <  t  <  n,  if  for  any  fixed  subset  of  t  variables  the  probability 
that,  given  the  value  of  /(x),  the  t  variables  have  any  fixed  set  of  values,  is  always  2~f  no 
matter  what  the  choice  of  the  fixed  set  of  t  values  is. 


When  exploring  the  notion  of  correlation  immunity  for  generalized  Boolean  functions,  a 
fitting  place  to  begin  is  perhaps  by  contemplating  just  how  many  output  values,  c  £  Z9,  a 
correlation  immune  generalized  Boolean  function  could  possibly  achieve. 

Theorem  3.3.  Iff  £  :Wln  is  a  Cl  (order  1 )  generalized  Boolean  function,  then  the  number 
of  occurrences  of  each  output  value  c  EZq  that  f  achieves  is  even. 


Proof  Let  /  £  c3  38qn  be  a  Cl  (order  1)  generalized  Boolean  function.  Let  x  =  (xn, . . .  ,jci)  £ 
Suppose  S  instances  of  a  specific  output  value,  c  £  Zq,  occur  in  the  truth  table  of  /.  Let 
Vc  C  V„,  represent  the  set  of  all  vectors  x  such  that  /(x)  =  c.  For  each  i  =  1, 2, . . . ,  n,  let 
V(o,;)  C  Vc  be  the  subset  of  vectors  such  x\  =  0  and  /(x)  =  c  and  let  V,  |  ,0C  Vc  be  the  subset 
of  vectors  such  that  x,-  =  1  and  /(x)  =  c.  Then,  since  /  is  0(1),  for  each  i  =  1,2, . . . ,  n  we 
have 


Pr(Xi  =  0|/(x)  =  c) 


Pr(xi  —  On/(x)  =  c) 

Pr(f(x)  =  c ) 


I  Vo  I 

2" 


JV| 

2" 


IW 

s 


l%ol  - 


s 

2 
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and 


Pr(xt  =  l|/(x)  =  c) 


Pr(xj=  lfl/(x)  =  c) 

Pr(f(x)  =  c) 


IM 

2" 


M 

2n 


!M 

5 


5 

2' 


For  each  i,  Xj  is  either  0  or  1,  so  V(0,j)  and  V(  |  ^  are  mutually  exclusive.  Moreover,  |V(0,/)|  = 
\V(\,i\  |  for  all  i,  therefore  2  ■  \  |  =  2  •  |  ,•)  [  =  S,  and  the  result  is  thus  proven.  ■ 

Corollary  3.4.  Let  f  G  be  a  correlation  immune  ( order  l)  generalized  Boolean  func¬ 
tion  and  let  f(yn)  be  the  image  of  f.  Then  |/(V„)|  <  2,!_1. 


Proof  The  result  is  an  immediate  consequence  of  Theorem  3.3.  Let  /  €  58qn  be  a  C/(  1) 
generalized  Boolean  function.  Since  the  number  of  occurrences  of  each  distinct  output 

value  c  G  /(V„)  must  be  divisible  by  2,  the  maximum  number  of  output  values  is  therefore 

gd  V.  on—  1  ■ 

2  2  z 

Remark  3.5.  We  have  already  demonstrated  how  one  can  create  a  C/(l)  generalized 
Boolean  function  /  e  S3qn,  by  ensuring  that  /(x)  =  /(x),  for  all  x  e  ¥„.  By  assigning 
a  distinct  value,  c  G  Z?,  for  each  vector  pair  x,  x  we  achieve  the  above  stated  upper  bound. 


3.2  Correlation  Immune  Constructions 

There  are  numerous  ways  in  which  to  construct  correlation  immune  (order  1)  Boolean 
functions.  In  addition  to  the  so-called  “folklore”  construction,  that  we  have  touched  upon, 
a  method  which  we  refer  to  as  the  “complementation  construction”  works  well.  In  this 
case  we  create  correlation  immune  (order  1)  Boolean  functions  /  G  SSn  using  the  following 
algorithm: 


Algorithm  2  C/(  1)  Complementation  Construction  for  Boolean  Functions 

1:  Write  the  truth  table  of  /,  in  which  the  binary  vectors  of  length  n  are  in  lexicographic 
order. 

2:  Label  the  first  2"~  1  entries  of  the  truth  table  with  2"  2  O's  and  2"-2  l's  in  any  order 
desired. 

3:  Label  the  remaining  2"  ~ 1  entries  of  the  truth  table  by  copying  the  first  2"~  1  entries  of 
the  truth  table  into  the  the  second  half  of  the  truth  table  and  then  complement  each  of 
these  entries. 
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Example  3.6.  Consider  the  following  truth  table  of  a  correlation  immune  order  1  function 
/  G  ^4,  which  was  created  using  the  complementation  algorithm.  In  order  to  highlight 
the  complementation  process  and  motivate  the  subsequent  proof  of  correctness  of  the  algo¬ 
rithm,  we  include  the  set  of  input  vectors,  V4,  and  place  the  two  halves  of  the  truth  table 
side-by-side. 


Table  3.3:  A  C/(  1)  Boolean  function  /  £  38 $ 


v4 

/ 

v4 

/ 

0000 

0 

1000 

1 

0001 

0 

1001 

1 

0010 

1 

1010 

0 

0011 

0 

1011 

1 

0100 

1 

1100 

0 

0101 

1 

1101 

0 

0110 

1 

1110 

0 

0111 

0 

1111 

1 

Proof  of  Correctness  of  the  C/(  1)  Boolean  Function  Complementation  Construction: 

Suppose  we  create  a  Boolean  function  /  e  88n  using  the  preceding  algorithm.  To  show  that 
the  algorithm  indeed  renders  a  correlation  immune  (order  1)  function,  we  argue  as  follows: 
Partition  the  set  of  input  vectors  Y„  into  two  sets,  Vo  and  V\,  such  that  for  all  x  e  V), 
fix)  =  j,  where  j  =  0  or  j  =  1.  Let  Vj.  |  represent  the  set  of  sub-vectors  of  the  n  —  1  least 
significant  bits  of  Vj.  Since  the  second  half  of  the  truth  table  is  a  complemented  copy  of  the 
first  half,  Vj,  =  Yn-i  f°r  both  j  =  0  and  j  =  1.  Now,  for  each  column  i  from  1  to  n  —  1, 
we  know  that  V„_i  is  balanced  (contains  an  equal  number  of  0/.s  and  l'.v),  therefore  it  must 
also  be  the  case  that  each  set  Vj,  ,  where  /  =  0  or  1,  is  also  balanced  with  respect  to  the 
first  77—I  columns.  Moreover,  the  algorithm  required  that  the  first  half  of  the  truth  table 
was  balanced,  which  in  turn  ensures  that  the  nth  column  is  also  balanced  in  both  Vo  and  V\ . 
Consequently,  for  all  i  from  1  to  n,  Pr(xj  —  0|/(x)  =  0)  =  1/2,  thus  demonstrating  that  the 
function  is  correlation  immune  (order  1). 

The  complementation  algorithm  allows  us  to  create  a  great  many  0(1)  Boolean  functions. 
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Unfortunately,  this  construction  method  is  not  well  suited  for  building  correlation  immune 
(order  1)  generalized  Boolean  functions.  For  this,  we  require  a  more  general  technique 
which  partitions  ¥„  into  appropriate  subsets  of  input  vectors,  which  each  can  in  turn  be 
mapped  to  different  output  values  of  TLq.  To  accomplish  this  task  we  generalize  the  “folk¬ 
lore”  construction.  This  method  required  that  the  function  be  such  that  for  all  x  6  V„, 
/(x)  =  /(x).  In  other  words,  /(x)  =  /(x©  a),  where  wt( a)  =  n.  Recall  that  a  vector 
a  G  ¥„  is  a  linear  structure  of  a  function  /,  if  the  derivative  of  /  with  respect  to  a  remains 
constant.  In  other  words,  for  all  0(1)  functions  /,  which  were  created  using  the  “folklore” 
construction,  a  =  111 ...  1,  is  a  linear  structure  of  /.  There  is,  per  se,  no  reason  why  we 
must  choose  this  linear  structure.  We  might  just  have  well  chosen  another  linear  structure. 


Algorithm  3  C/(  1)  generalized  Boolean  function  construction 

1:  Pick  a  vector,  a  G  ¥„,  such  that  0  <  K  <  n  —  1  and  wt( a)  =  n  —  K. 

2:  For  all  xgV„,  pair  x  with  x'  =  x©a. 

3:  Vectors  within  each  of  the  2"  1  pairs,  agree  in  K  positions.  If  K  =  0,  map  each  pair  to 
any  desired  output  value,  7Lq.  Otherwise,  for  each  pair  of  vectors,  combine  it  with  a 
corresponding  pair  of  vectors  which  differ  with  respect  to  the  bits  found  at  the  indices 
where  0’s  occur  in  a. 

4:  Finally,  map  each  of  the  2n~  2  sets  of  four  vectors  to  any  output  value,  7Lq. 


Proof  of  Correctness  of  the  C/(  1)  Generalized  Boolean  Function  Construction:  Sup¬ 
pose  we  create  a  Boolean  function  /  G  where  1  <  q  <  2”  ,  using  the  above  de¬ 

scribed  algorithm.  The  set  of  input  vectors  ¥„  is  a  linear  vector  space,  so  for  every  a  G  ¥„, 
using  the  procedure  whereby  we  for  all  x  G  ¥„,  pair  x  with  x'  =  x  ©  a.  uniquely  parti¬ 
tions  ¥„  into  2,!_1  pairs  of  vectors.  Let  K  represent  the  number  of  zeros  contained  in  a, 
so  wt( a)  —  n  —  K.  Then  the  vectors,  x  and  x',  within  each  pair  agree  in  K  of  the  n  index 
positions.  If  K  =  0,  each  vector  pairs  can  be  mapped  to  any  output  value  c  G  Z„_i.  (This  is 
the  “folklore”  construction.)  If  on  the  other  hand  K  >  0,  then  there  are  2K  possible  combi¬ 
nations  for  the  bits  in  the  K  indices  which  correspond  to  where  zeros  occur  in  a.  However, 
since  we  have  partitioned  ¥„,  and  each  column  of  ¥„,  contains  an  equal  number  of  0’s 
and  l’s,  there  must  be  2"~  1  K  vector  pairs  which  contain  each  of  the  2K  possibilities.  This 
in  turn  guarantees  that  for  every  vector  pair  within  the  partition,  it  is  always  possible  to 
combine  two  corresponding  pairs  of  vectors  which  disagree  with  respect  to  each  of  the  bits 
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found  at  the  indices  where  zeros  occur  in  a.  In  fact,  for  a  given  a,  there  are  a  total  of 

(2„_1 

such  groupings.  Once  one  of  these  groupings  has  been  carried  out,  we  have  ensured  that 
each  set  of  four  vectors  contain  an  equal  number  of  0’s  and  l’s  with  respect  to  those  indices. 
For  the  remaining  indices,  a  contained  all  ones,  which  ensured  that  each  of  the  2”~  1  vector 
pairs  already  contained  a  balance  of  0’s  and  l’s  in  these  positions.  Thus,  by  subsequently 
mapping  each  set  of  four  vectors  to  an  output  value  c  £  Z„_ 2,  the  algorithm  guarantees  that 
for  all  i  from  1  to  n,  /Jr(x,  =  0|/(x)  =  c)  =  1/2.  Hence  the  function  is  correlation  immune 
(order  1). 


Example  3.7.  Suppose  we  wish  to  construct  a  CI(1)  generalized  Boolean  function  /  £ 
^  where  1  <  q  <  4.  Rather  than  using  the  all  ones  vector  to  partition  V„,  we  select 
instead  the  vector  a  =  1010.  Letting  K  represent  the  number  of  zeros  in  a,  we  then  have 
K  =  2  with  zeros  occurring  at  index  1  and  3  (indexing  from  least  to  most  significant  bit). 
For  each  x  £  V4,  we  pair  x  with  x'  =  xQa.  Doing  so  yields  the  following  partition: 


0000  0010  0100 
1010  1000  1110 


0110 

1100 


0001 

1001 


0011 

1001 


0101 

1111 


0111 

1101 


Since  K  =  2,  there  are  22  —  4  possible  two  bit  combinations  for  the  bits  located  at  index  1 
and  3.  Moreover,  there  are  2"~  1  K  =  2  pairs  of  vectors  which  contain  each  of  the  possible 
4-bit  combinations  at  indices  1  and  3.  We  now  combine  each  pair  of  vectors  with  a  corre¬ 
sponding  pair  which  disagrees  with  respect  to  the  bits  at  index  1  and  3.  There  are  a  total 
of  (2n~l~K\)2K  1  =  (2!)2  =  4  possible  ways  this  can  be  accomplished.  Finally,  we  map 
each  of  the  2,h  2  =  4  sets  of  vectors  to  4  possible  output  values  from  Z4.  Therefore,  based 
on  our  selection  of  a,  there  are  a  total  of  44  =  256  possible  correlation  immune  (order  1) 
generalized  Boolean  functions  which  can  be  constructed  using  this  algorithm.  We  list  one 
such  possible  function  in  Table  3.4: 
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Table  3.4:  A  C/(  1)  generalized  Boolean  function  /  e 


V4 

/ 

0000 

0 

0001 

3 

0010 

2 

0011 

1 

0100 

1 

0101 

2 

0110 

3 

0111 

0 

1000 

2 

1001 

1 

1010 

0 

1011 

3 

1100 

3 

1101 

0 

1110 

1 

mi 

2 

3.3  A  Higher  Order  Correlation  Immune  Construction 

The  above  algorithm  enables  us  to  construct  a  large  class  of  order  1  correlation  immune 
generalized  Boolean  functions.  Although  higher  order  correlation  immune  functions  are 
less  prevalent,  we  would  none-the-less  like  to  devise  an  algorithm  with  which  we  can  con¬ 
struct  correlation  immune  generalized  Boolean  functions  of  higher  order.  Before  proceed¬ 
ing  we  must  first  introduce  the  following: 

Definition  3.8.  [1 1,  p.  72]  An  m  x  n  array  with  entries  from  a  set  of  s  elements  is  called 
an  orthogonal  array  of  size  m  with  n  constraints,  s  levels,  strength  t,  and  index  r,  if  any 
set  of  t  columns  of  the  array  contain  all  s‘  possible  row  vectors  exactly  r  times.  We  will 
throughout  this  dissertation  denote  such  orthogonal  arrays  by  OA(m,n,s,t). 


27 


There  is  a  close  connection  between  correlation  immune  Boolean  functions  and  orthogonal 
arrays.  Camion,  et  al.  first  corresponded  on  this  topic  in  1992  [3]. 

Theorem  3.9.  Every  partition  P  ofVn  which  consists  ofq  binary  orthogonal  arrays,  each  of 
index  1  and  strength  t,  can  be  used  to  construct  a  correlation  immune  (order  t)  generalized 
Boolean  function  f  G  CY  £%qn,  and  every  order  t  correlation  immune  generalized  Boolean 
function  f  G  ^  generates  a  partition  P  ofYn,  where  P  consist  of  q  binary  orthogonal 
arrays,  each  of  index  1  and  strength  t. 

Proof  (=>)  Let  P  be  a  partition  of  ¥„  comprised  of  q  binary  orthogonal  arrays  Oj, 
0  <  j  <  q-l,  each  of  index  1  and  strength  t.  For  all  j  and  all  vectors  x  G  Oj,  map 
x  — »  Cj,  where  each  value  cj  is  a  distinct  value  in  7Lq.  This  creates  a  generalized  Boolean 
function  /  G  Ydqn.  By  Definitions  3.8,  any  set  of  t  columns  of  each  Oj  contains  all  2' 
possible  row  vectors  once.  Given  the  stipulated  mapping,  this  in  turn  means  that  according 
to  Definition  3.2,  /  is  an  order  t  correlation  immune  generalized  Boolean  function. 

(<^=)  Let  /  G  CY d/)qn  be  an  order  t  correlation  immune  generalized  Boolean  function.  For 
each  distinct  output  value  cj  G  Z9,  0  <  j  <  q  —  l,  partition  V„  into  q  subsets  Oj  such  that 
Oj  =  {xG  Oj  :  /(x)  =  Cj}.  The  function  /  is  correlation  immune  of  order  t,  therefore 
according  to  Definition  3.2,  for  any  fixed  subset  of  t  input  vector  variables,  xt,  1  <  i  <  n, 
the  probability  that,  for  /(x)  =  cj,  the  t  variables  have  any  fixed  set  of  values  is  2~f.  Thus 
according  to  Def.  3.8,  each  Oj  must  be  an  index  1,  strength  t  binary  orthogonal  array.  ■ 

Consequently,  although  not  mentioned  at  the  time,  the  subsets  of  V„  which  were  created  in 
the  constructions  of  Algorithms  2  and  3  were  in  fact  binary  orthogonal  arrays  of  index  and 
strength  1.  It  is  interesting  to  note  that  V„  is  itself  an  orthogonal  array  of  strength  n.  This 
is  the  reason  why  all  constant  functions  are  (order  n)  correlation  immune. 

Lemma  3.10.  Let  O  be  an  OA(in.n.2,t)  binary  orthogonal  array.  Complementing  any 
column,  i,  1  <  i  <  n,  of  O produces  another  OA(m.n.2.t)  binary  orthogonal  array. 

Proof.  Let  O  be  an  OA(m,n,  2,  t)  binary  orthogonal  array.  Suppose  by  way  of  contradiction 
that  we  complement  a  column,  i,  1  <  i  <  n,  of  O  and  that  the  resultant  array,  O'  is  no  longer 
an  orthogonal  array.  If  O'  is  not  an  orthogonal  array,  it  must  be  the  case  that  there  exist  some 
set  of  t  columns  for  which  one  of  the  2 '  possible  binary  row  vectors  occurs  with  a  frequency 
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less  than  r.  Now,  O  was  an  orthogonal  array,  so  for  all  possible  combinations  of  1  columns, 
each  of  the  2r  possible  binary  row  vectors  in  O  occurred  each  with  frequency  r.  The  only 
changes  made  to  O ,  took  place  in  column  i.  Therefore,  if  one  of  the  2‘  possible  row  vectors 
in  O'  occurs  with  a  frequency  less  than  r,  it  must  be  the  case  that  there  exist  an  unequal 
number  of  0's  and  l's  in  column  i  of  O'.  However,  since  column  i  in  O'  is  the  complement 
of  column  i  from  O ,  this  would  mean  that  an  imbalance  of  0’s  and  l’s  existed  in  O,  which 
in  turn  would  mean  that  one  of  the  2{  possible  binary  row  vectors  of  O  also  occurred  with  a 
frequency  less  than  r.  This  contradicts  the  fact  that  O  is  an  orthogonal  array.  We  therefore 
conclude  that  complementing  any  column  of  an  orthogonal  array,  OA(m,n,2,t),  results  in 
another  orthogonal  array,  OA ( m ,n,2,t).  ■ 


Example  3.11.  Consider  the  following  4x3  binary  array,  X,  along  with  all  possible  com¬ 
binations  of  two  of  its  columns: 


Xi  X2  X3 


Xi  X2 


X,  X3 


X2  X3 


0  0  0  0 
011  0 
10  1  1 
110  1 


0  0  0 
1  0  1 
0  1  1 
1  1  0 


0  0 
1  1 
0  1 
1  0 


For  every  possible  combination  of  2  columns  of  X,  the  row  vectors  00,  01,  10,  and  11  all 
occur  with  frequency  1.  Consequently,  this  is  a  OA(A. 3.2. 2)  orthogonal  array  of  index 
1.  Moreover,  according  to  Lemma  3.10,  complementing  any  column  of  X,  for  example 
column  number  3,  produces  yet  another  OA( 4, 3, 2, 2)  orthogonal  array,  X': 

Xi  X2  x-3 
0  0  1 
0  1  0 
1  0  0 
1  1  1 


There  also  exists  a  relationship  between  orthogonal  arrays  and  error  correcting  codes  [2], 
[12],  [19].  This  connection  is  due  to  the  fact  that  the  codewords  of  an  error  correcting  code 
can  be  used  as  the  rows  of  an  orthogonal  array,  or  conversely  the  rows  of  an  orthogonal 
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array  can  be  regarded  as  codewords  of  an  error  correcting  code.  For  purposes  which  soon 
shall  become  clear,  our  construction  will  make  use  of  orthogonal  arrays  created  using  linear 
error-correcting  codes.  Neither  error-correcting  codes  nor  orthogonal  arrays  are  the  focus 
of  this  dissertation.  However,  due  to  central  role  which  these  topics  play  in  our  construc¬ 
tion  method  of  high  order  correlation  immune  generalized  Boolean  function,  we  deem  it 
prudent  to  include  a  few  basic  definitions,  lemmas,  and  theorems  for  the  benefit  of  readers 
unfamiliar  with  these  topics.  Rather  than  restating  and  reproving  these  results,  much  of 
this  intoductory  material  has  been  taken  from  Chapter  4  of  Hedayat,  Sloane,  and  Stufken’s 
excellent  monograph  on  orthogonal  arrays  [19].  For  consistency’s  sake,  we  retain  our  finite 
field  notation  F,,  where  s  is  power  of  a  prime,  rather  than  adopt  the  authors’  notation  of 
GF(s )  found  in  the  original  publication. 


Definition  3.12.  [19,  p.  65]  An  error  correcting  code  C  of  length  n,  size  m, 
minimum  pairwise  Hamming  distance  between  distinct  codewords  of  d,  and 
which  is  defined  over  an  alphabet  S  of  size  \S\  —  s,  is  denoted  ( n,m,d)s .  To 
any  such  code  we  associate  the  m  x  n  array  whose  rows  are  the  codewords  of 
C.  This  array  is  an  orthogonal  array  OA(m,n,s,t )  for  some  t. 

Definition  3.13.  [19,  p.  63]  A  code  C  of  length  n  is  said  to  be  linear  if  the 
codewords  are  distinct  and  C  is  a  vector  subspace  of  F",  thus  C  has  size  m  =  / 
for  some  non  negative  integer  0  <  t  <  n.  Additionally,  the  minimum  distance 
d  for  a  linear  code  is  equal  to  the  minimal  Hamming  weight  of  any  nonzero 
codeword. 

Definition  3.14.  [19,  p.  40]  An  orthogonal  array  is  simple  if  the  rows  of  the 
array  are  distinct. 

Definition  3.15.  [19,  p.  40]  Let  5  be  a  prime  power.  An  orthogonal  array 
OA(m ,  n.s.l)  with  levels  from  FiV  is  said  to  be  linear  if  it  is  simple  and  if,  when 
considered  as  n-tuplcs  from  Fs,  its  m  rows  form  a  vector  space  over  F.s. 

Lemma  3.16.  [19,  p.  65]  The  orthogonal  array  associated  with  a  code  is 
linear  if  and  only  if  the  code  is  linear. 
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Proof.  This  follows  immediately  from  the  preceding  definitions  of  linearity. 


A  linear  (»z,«)-code  can  be  concisely  described  using  an  m  x  n  generator  ma¬ 
trix,  G,  in  which  the  rows  of  the  matrix  form  a  basis  for  the  code.  The  code  C, 
then  consists  of  all  vectors  u  =  xG,  where  x  runs  through  all  x  £  Sn  [19,  p.  64]. 

Example  3.17.  The  (7, 8, 4)2  code  can  be  represented  using  the  following  generator  matrix: 

"10  0  110  1" 

G=  0  1  0  1  0  1  1  . 

0  0  10  111 

Each  of  the  23  =  8  codewords  can  then  be  obtained  by  using  the  encoding  function,  E  (x)  = 
xG,  where  x  £  V3.  For  example,  the  codeword  associated  with  the  vector  x  =  010  is: 


TlOOllOll 

£(010)  =  010-010101  1  =  010101  1  . 

|o  0  1  0  1  1  lj 

For  each  linear  code  C,  there  exists  an  associated  linear  code  called  its  dual,  which  we 
denote  by  C  .  This  code  consists  of  all  vectors  v  £  Sn  such  that 

uvr  =  0,  Vu  £  C. 

For  example,  the  dual  of  the  (7, 8,4)2  code  given  in  Example  3.17  is  a  (7, 16, 3)2  Hamming 
code.  We  refer  to  a  code  which  is  its  own  dual  as  a  self-dual  code.  The  distance  of  the  dual 
code  of  C  is  further  denoted  d  . 


Lemma  3.18.  [19,  p.  54]  Let  A  be  an  orthogonal  array  OA(m,n,s,t )  with 
entries  from  Fs.  Then  any  t  columns  of  A  are  linearly  independent  over  Fv. 
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Proof,  m  x  1  vectors  vi, . . .  ,vf  with  components  from  a  ring  R  are  said  to  be 
linearly  independent  over  R  if  the  relation 

ciViH - f  cfVf  =  0,  Gi?,  (3.1) 

implies  that  ci  =  •  •  •  =  ct  =  0.  An  equivalent  condition  is  that  the  matrix 
[vi  ■■■vt]  has  rank  t  over  R.  Now  let  vi,...,vt  be  any  t  columns  of  A,  and 
suppose  (3.1)  holds.  There  is  a  row  vector  i  with  the  first  entry  equal  to  1  and 
others  0.  Then  (3.1)  implies  c\  =  0.  Similarly  C2  =  ■  •  •  =  ct  =  0  [19,  p.  54].  ■ 

Lemma  3.19.  [19,  p.  54]  Let  A  be  an  m  x  n  matrix  whose  rows  form  a  linear 
subspace  of¥sk.  If  any  t  columns  of  A  are  linearly  independent  over  Fv,  then  A 
is  an  orthogonal  array  OA(m.n.s.l). 


Proof  Suppose  m  =  s,  and  let  G  be  an  £  x  n  generator  matrix  for  A,  so  that  the 
rows  of  A  consist  of  all  /7-tuples  <§G,  where  £,  =  (£1, . . . ,  <^),  G  Fs  .  Choose 
t  columns  of  A,  and  let  G\  be  the  corresponding  £  x  /  submatrix  of  G.  Clearly 
the  columns  of  G\  are  linearly  independent.  The  number  of  times  that  a  /-tuple 
z  appears  as  a  row  in  these  t  columns  of  A  is  equal  to  the  number  of  such  that 

Since  G\  has  rank  t,  this  number  is  sf  ~‘ ,  for  all  z.  Therefore  A  is  an  orthogonal 
array  of  strength  t  [19,  p.  54].  ■ 

We  are  now  in  a  position  to  introduce  the  following  important  theorem  which  establishes 
the  connection  between  orthogonal  arrays  and  linear  codes  and  specifies  how  the  strength  of 
a  linear  orthogonal  array  is  related  to  the  associated  linear  code.  Although  we  use  Hedayat’s 
proof  of  the  theorem  here,  the  theorem  itself  is  attributed  to  Bose  who  included  the  result 
in  his  1961  paper  [2]. 
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Theorem  3.20.  [19,  p.  66]  If  C  is  a  (n,m,d)s  linear  code  over  F?  wUh 

dual  distance  d  then  the  codewords  of  C  form  rows  of  an  orthogonal  ar¬ 
ray  OA{m,n,s,d^  —  1)  with  entries  from  Fs.  Conversely,  the  rows  of  a  linear 
orthogonal  array  ()A(ni.n.s.l)  over  F s  form  a  {n.ni.d)s  linear  code  over  F.s 
with  dual  distance  d~  >  /  +  1 .  If  the  orthogonal  array  has  strength  t  but  not 
t  +  1,  d1-  is  precisely  t  +  1. 

Proof  (=>)  Suppose  C  is  a  ( n,m,d)s  linear  code  over  F*  with  dual  distance 
d  .  Let  A  be  the  array  formed  by  the  codewords  of  C.  Any  d  —  \  columns 
of  A  must  be  linearly  independent  over  Fs,  or  else  there  would  be  a  codeword 
of  weight  less  than  d1-  in  the  dual  code,  which  would  contradict  the  hypothesis 
that  d  is  the  minimal  nonzero  distance  in  the  dual  code.  By  Lemma  3.19,  A 
is  an  OA(m,n,s,dL  —  1). 

(4=)  Conversely,  let  C  be  the  code  associated  with  a  linear  OA(m,n,sf).  By 
Theorem  3.18,  any  t  columns  of  the  array  are  linearly  independent,  so  there 
cannot  be  a  codeword  of  weight  t  or  less  in  c-*-.  If  the  array  does  not  have 
strength  t  +  1,  some  t  +  1  columns  are  dependent,  and  so  there  is  a  codeword 
of  weight  t  +  1  in  the  dual  code,  hence  dL  =  t  +  1  [19,  p.  66].  ■ 

The  concept  of  dual  codes  is  important  in  the  study  of  orthogonal  arrays.  As  seen  above, 
it  allowed  us  to  establish  the  connection  between  orthogonal  arrays  and  linear  codes  in  the 
proof  of  Theorem  3.20.  Moreover,  since  orthogonal  arrays  can  be  created  using  linear  codes 
and  linear  codes  are  either  self-dual  or  give  rise  to  dual  codes,  this  frequently  results  in  con¬ 
nections  between  pairs  of  orthogonal  arrays.  For  example,  the  codewords  of  the  (7, 8, 4)2 
code,  C,  from  Example  3.17  form  a  OA(8.7.2.2j  orthogonal  array,  while  the  code  words 
of  its  dual  code,  CL,  (7, 16,3)2,  creates  a  QA(16,7,2,3)  orthogonal  array.  We  shall  later 
extend  the  concept  of  duality  to  correlation  immune  generalized  Boolean  functions  which 
were  created  using  orthogonal  arrays.  Having  covered  a  sufficient  amount  of  background 
information,  we  are  now  in  a  position  to  introduce  our  construction  method  for  higher  order 
correlation  immune  generalized  Boolean  functions.  To  motivate  the  technique,  we  begin 
again  by  considering  the  “folklore”  construction. 

Consider  a  C/(  1)  function  /  e  (/?:'dSq5,  which  was  created  using  the  folklore  construc- 
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tion.  Here  the  linear  structure,  a  =  11111,  is  used  to  partition  V5  and  for  all  x  e  V5, 
/(x)  =  /(x©a).  In  particular,  the  set  of  input  vectors  {00000, 11111}  are  mapped  to  the 
same  output  value.  These  two  vectors  constitute  the  (5, 2, 5)2  linear  code,  and  by  Theorem 
3.20,  they  also  form  the  OA(2, 5,2, 1)  orthogonal  array.  Viewed  from  an  orthogonal  array 
perspective,  the  folklore  construction  is  carried  out  as  follows:  Let  G  —  (V5,©)  represent 
the  abelian  group  of  binary  input  vectors  formed  under  the  ©  operation.  GA(2,5,2, 1)  is  a 
linear  orthogonal  array  since  it  was  created  using  the  linear  code  (5,2, 5)2.  Since  (5,2, 5)2 
is  a  linear  code,  it  forms  a  subgroup  of  G.  Let  Oq  =  GA(2, 5, 2, 1).  For  each  lexicographic 
ordered  input  vector  x  from  00001  to  01111  we  form  the  cosets,  Oj,  1  <  i  <  15,  of  Oq  by 
adding  x  to  the  each  of  the  two  row  vectors  in  Oq.  Then  U-£0G,-  =  V5  and  we  have  parti¬ 
tioned  V5  into  16  pairs  of  vectors.  Moreover,  according  to  Lemma  3.10,  each  of  the  cosets 
of  Oq  is  also  an  (order  1)  orthogonal  array.  Therefore,  by  mapping  the  two  row  vectors 
within  each  orthogonal  array,  Oj,  to  the  same  output  value,  c  €  Z,q,  we  have  constructed  a 
CI(1)  function. 

The  benefit  of  this  construction  method  is  that  it  allows  us  to  use  any  linear  orthogonal  array 
(m,n,2,t),  where  m  =  21  and  n  >  £.  to  build  a  correlation  immune  (order  t)  generalized 
Boolean  function  /  €  <S where  q  —  2"-/ . 


Algorithm  4  CI(t )  generalized  Boolean  function  construction 

1 :  Select  a  linear  orthogonal  array  A  =  OA(m.n,2,t),  where  m  =  T  and  n>  L 
2:  for  k  =  1  to  m  do 

3:  Add  row  vector  Xj  E  A  to  the  set  Oq. 

4:  end  for 

5 :  Add  Oo  to  the  set.  S,  of  orthogonal  arrays. 

6:  for  j  =  1  to  2n~l  —  1  do 

7 :  Select  a  vector  a  j  6  V„,  such  that  VOj  G  S.  where  k  <  j,  a  j  0  ()k . 

8 :  for  i  =  1  to  m  do 

9:  Compute  y,  =  x,  0  a^,  where  x,  are  row  vectors  in  Oq. 

10:  Addy,toOj. 

1 1 :  end  for 

12:  AddO,toS. 

1 3 :  end  for 

14:  Select  a  permutation,  p ,  of  the  set  {1,2, . . . 

15:  for  i  =  1  to  2"-f  do 

16:  Reorder  the  columns,  Cj.,  k  —  1  to  n.  of  O,  such  that  =  cpi . CP2 .  ■ . .  ,c„„,  where  pn  is  the  nth  element  of  p. 

1 7 :  end  for 

18:  for  h  =  1  to  2"~l  do 

19:  Select  an  output  value  c*  E  2<q<  2"© 

20:  for  (  =  1  to  m  do 

21 1  Save  the  ordered  pair,{x,-,  Ch},  where  x/  E  to  a  2D  array,  /. 

22:  end  for 

23:  end  for 

24:  Sort  /  so  that  the  first  elements  of  each  ordered  pair,  {x/,c/,}  E  /,  appear  in  lexicographic  order. 


Proof  of  Correctness  of  the  CI(t)  Generalized  Boolean  Function  Construction:  Sup¬ 
pose  we  wish  to  create  a  correlation  immune  (order  t)  generalized  Boolean  function 
/  G  ^ using  the  above  described  algorithm.  We  first  select  a  suitable  linear  orthogonal 
array,  O o  =  OA(m.  n.  2,  t),  such  that  t  satisfies  the  desired  correlation  immunity  order  and  n 
satisfies  the  required  input  variable  length  for  our  function.  Since  Oq  is  a  linear  orthogonal 
array,  its  row  vectors  form  a  subgroup  of  ¥„.  Let  m  —  2(.  By  selecting  an  orthogonal  array 
with  m  such  that  2"  >  q  we  ensure  that  our  construction  can  achieve  the  requisite  number 

of  functional  output  values,  q.  Moreover,  the  fact  that  Oq  is  simple  and  forms  a  subgroup 
of  ¥„  guarantees  that  Oq  along  with  its  2n~(  —  1  cosets  cover  ¥„.  We  construct  each  coset 
Oi ,  i  =  1  to  2"~e  —  1,  by  selecting  a  vector  a  G  ¥„  not  present  in  Oq  (or  any  other  coset). 
Lemma  3.10  tells  us  that  each  of  these  cosets  is  also  an  OA(m,n,2,t)  orthogonal  array. 
Having  done  so,  we  have  thus  partitioned  ¥n  into  2n~(  orthogonal  arrays  each  of  strength 
t.  We  now  select  one  of  the  n\  possible  permutations,  p  —  {pi,p2,  •  •  •  ,Pn},  of  the  integers 
(1,2 where  pn  is  the  nth  element  of  the  set  p.  Let  Oi  =  [ci,C2, •  •  •  ,cM],  where  c j, 
1  <j<n,  represents  a  column  vector.  We  reorder  the  columns  of  each  orthogonal  array  (9, 
such  that  O ^  =  [cpi  ,cP2, . .  .c Pn],  Since  by  Definition  3.8,  each  (9„  i  =  0  to  2n~(  —  1,  must 
contain  all  21  possible  row  vectors  for  any  combination  of  t  columns,  each  resultant  array 
o\p *  will  remain  an  orthogonal  array.  Moreover,  while  the  column  reordering  will  alter 
the  vectors  which  occur  within  each  orthogonal  array  (2;-  ,  the  set  of  all  orthogonal  arrays 
o\p\  i  —  0  to  2n  1  —  1,  will  still  cover  V„.  To  recognize  that  this  is  indeed  the  case,  consider 
the  following:  The  set  of  simple  orthogonal  arrays  S  =  {Oq,  O i,  . . . ,  02n-(_  | }  covers 
There  are  a  total  of  2n  row  vectors  in  V„,  each  of  which  is  unique.  Since  we  respect  the 
same  reordering  scheme,  0'p>  =  [cpi ,  cP2 , . . .  cPn\,  for  i  —  O  to  2n~t:  —  1 ,  it  must  be  the  case 
that  each  vector  in  S(p>  —  {o\p] ,  0'p) o[pJ_e_  j}  is  also  unique.  Since  there  are  also  2n 
row  vectors  in  S^p\  it  must  be  the  case  that  the  set  of  modified  orthogonal  arrays  also 
covers  Finally,  to  each  set  of  input  vectors,  o\p}  we  associate  an  output  value  c,-  G  Z?, 

where  q  <  2n  1 .  Since  each  orthogonal  array  0'p'  is  strength  t,  we  have  thus  created  a 
CI(t)  generalized  Boolean  function  /  G  c4 -2fiqn. 


To  illustrate  the  algorithm  further,  we  provide  the  following  example: 

Example  3.21.  Suppose  we  wish  to  construct  a  higher  order  (t  >  1)  correlation  immune 
generalized  Boolean  function  /  G  <£ We  begin  by  finding  a  linear  orthogonal  array 
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suitable  for  the  task.  In  this  case,  (24(8,5,2,2)  is  a  good  candidate.  Let  Oq  =  04(8,5,2,2). 


Oq  = 


0  0  0  0  0 
10  0  11 
0  10  1  0 
0  0  10  1 
110  0  1 
10  110 
0  1111 
1110  0. 


Since  04(8,5,2, 2)  is  a  linear  orthogonal  array,  Oo’s  row  vectors  form  a  subgroup  of  ¥5. 
We  can  therefore  cover  V5  by  forming  the  3  cosets  of  Oq.  To  do  so,  we  iteratively  proceed 
as  follows:  For  i—  1  to  3  we  form  O,  by  selecting  a  vector,  a  €  V„,  which  is  not  present  in 
all  preceding  orthogonal  array’s,  Oj,  where  j  <  i.  Then  for  each  row  vector  xk  e  Oq,  k  =  1 
to  8,  we  compute  yk  =  ©  a  and  add  it  to  (9,.  Doing  so  produces  the  cosets 


Oi  = 


0000  1 
10010 
01011 
00100 
11000 
10111 
01110 
11101, 


02  = 


0  0  0  1  0 

1  0  0  0  1 

0  10  0  0 
0  0  11  1 
110  11 
10  10  0 

0  110  1 
11110, 


03  = 


10  0  0  0 

0  0  0  1  1 
110  10 
10  10  1 
0  10  0  1 

0  0  110 
11111 
0  110  0. 


Lemma  3.10  ensures  that  these  newly  formed  cosets  are  all  (24(8,5,2,2)  orthogonal  arrays 
in  their  own  right.  We  now  select  a  permutation,  p  of  the  set  {1,2,...  ,5},  say  for  example 
p  —  {2, 1,3, 5, 4}.  For  each  of  the  orthogonal  arrays,  Oj,  i  —  0  to  3,  we  rearrange  the 
columns  of  O,  such  that  o\p)  =  [c^(1) , 0^(2) , c^(3) , c^(4) , c^(5)]  =  [c2, <9,03,05,04], 


00000 
01011 
1000  1 
00110 
11010 
01101 
10111 
11100, 


0001 

0100 

1001 

0010 

1100 

0111 

1010 

1111 


0 

1 


of  = 


1 

0, 


0  0  0  0  1 
0  10  10 
1  0  0  0  0 
0011  1  Q{p) 
110  11  3 
0  110  0 
10  110 
1110  1, 


0  10  0  0 
0  0  0  1  1 
110  0  1 
0  1110 
10  0  10 
0  0  10  1 
11111 
10  10  0. 


By  subsequently  assigning  the  same  output  value  from  Z4  to  the  vectors  within  each  or- 
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thogonal  array,  say  for  example  {O^  — >  0, 0'p)  — »  1 ,  — >  2,  — »  3},  we  create  the 

C/( 2)  generalized  Boolean  function  depicted  in  Table  3.5: 


Table  3.5:  A  C/(2)  generalized  Boolean  function  /  G  ^^5 


V5 

ao 

ao 

ao0«i 

/ 

00000 

0 

0 

0 

0 

00001 

0 

1 

1 

2 

00010 

1 

0 

1 

1 

00011 

1 

1 

0 

3 

00100 

1 

0 

1 

1 

00101 

1 

1 

0 

3 

00110 

0 

0 

0 

0 

00111 

0 

1 

1 

2 

01000 

1 

1 

0 

3 

01001 

1 

0 

1 

1 

01010 

0 

1 

1 

2 

01011 

0 

0 

0 

0 

01100 

0 

1 

1 

2 

01101 

0 

0 

0 

0 

01110 

1 

1 

0 

3 

01111 

1 

0 

1 

1 

10000 

0 

1 

1 

2 

10001 

0 

0 

0 

0 

10010 

1 

1 

0 

3 

1001 1 

1 

0 

1 

1 

10100 

1 

1 

0 

3 

10101 

1 

0 

1 

1 

10110 

0 

1 

1 

2 

10111 

0 

0 

0 

0 

11000 

1 

0 

1 

1 

11001 

1 

1 

0 

3 

11010 

0 

0 

0 

0 

11011 

0 

1 

1 

2 

11100 

0 

0 

0 

0 

11101 

0 

1 

1 

2 

11110 

1 

0 

1 

1 

11111 

1 

1 

0 

3 

Given  the  fact  that  Algorithm  4  makes  use  of  column  permutations  when  constructing  gen- 
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eralized  Boolean  functions,  it  is  of  interest  to  investigate  when  such  actions  result  in  new 
orthogonal  arrays  and  partitions  of 

Definition  3.22.  An  orthogonal  array  whose  set  of  row  vectors  remains  invariant  under  the 
full  symmetric  group  Sn  of  column  permutations  is  called  a  symmetric  orthogonal  array. 

Example  3.23.  The  orthogonal  array  OA(4. 3, 2, 2): 

0  0  0 

0=  0  1  1 
1  0  1 

1  1  0 

is  a  symmetric  orthogonal  array,  since  the  set  of  O’s  row  vectors  remain  invariant  under  the 
full  symmetric  group  S3  of  column  permutations. 

Remark  3.24.  Given  an  orthogonal  array,  O  =  0A(m,n,2,t),  it  is  a  relatively  straightfor¬ 
ward  matter  to  check  whether  or  not  it  is  symmetric.  Let  H  represent  the  set  of  Hamming 
weights  of  all  m  row  vectors  in  O.  In  order  for  O  to  be  a  symmetric  orthogonal  array,  for 
each  Hamming  weight,  h  G  H,  O  must  contain  all  vectors,  x  G  V„,  such  that  wt(x)  =  h. 

Lemma  3.25.  Given  a  symmetric  linear  orthogonal  array  O  =  QA(2n_1,n,2,t),  the  re¬ 
maining  set  of  vectors  Yn  \  O  also  forms  a  symmetric  orthogonal  array. 

Proof.  Let  Oq  be  a  symmetric  linear  orthogonal  array  0A(2n  2,  t).  Since  Oq  is  a  linear 

orthogonal  array,  the  row  vectors  of  Oq  form  an  order  2"  1  abelian  subgroup,  O  <  (V„,  ©). 
We  select  a  vector  a  G  V„  which  is  not  present  in  Oq  and  add  it  in  turn  to  each  row  vector 
in  Oq.  The  resultant  set  of  vectors,  0\,  is  the  coset  of  Oq  and  Oq  U  O \  —  V„.  Moreover, 
according  to  Lemma  3.10,  0\  is  also  a  OA(2n~ 1  ,«.2./)  orthogonal  array.  Let  H  represent 
the  set  of  Hamming  weights  of  all  row  vectors  in  Oq.  Since  Oq  is  symmetric,  it  must  be  the 
case  that  for  each,  h  G  H,  Oq  contains  all  vectors,  x  G  V„  such  that  wt(x)  =  h.  This  in  turn 
means  that  0\  contains  all  vectors  y  G  V„  such  that  wt( y)  G  Z„  \  H.  thus  demonstrating  that 
0 1  is  also  a  symmetric  orthogonal  array.  ■ 

Definition  3.26.  A  partition  of  V„  which  remains  invariant  under  the  full  symmetric  group 
Sn  of  column  permutations  is  called  a  symmetric  partition. 
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Remark  3.27.  Lemma  3.25  demonstrates  the  fact  that  binary  symmetric  linear  orthogonal 
arrays  with  n  constraints  and  size  2"'  1  give  rise  to  symmetric  partitions  of  V„.  However,  it 
is  possible  for  a  partition  containing  subsets,  some  of  which  are  not  symmetric,  to  nonethe¬ 
less  be  symmetric.  To  illustrate  the  point,  consider  the  following: 

Example  3.28.  Below  we  list  the  linear  orthogonal  array  Oq  —  04(2,4,2, 1)  along  with  its 
7  cosets: 


0 

0 

0 

0 

01  = 

0 

0 

0 

1 

02  = 

0 

0 

1 

0 

03 

1 

1 

1 

1 

1 

1 

1 

0 

1 

1 

0 

1 

1 

0 

0 

1 

0 

1 

0 

1 

05  = 

0 

1 

0 

1 

1 

0 

1 

0 

06  = 

0 

1 

1 

0 

0 

1 

1 

0 

07 

While  Oq  clearly  is  a  symmetric  linear  orthogonal  array,  given  that  it  remains  invariant 
under  all  column  permutations,  each  of  its  cosets  are  not.  Despite  this  fact,  the  set  of  all 
orthogonal  arrays,  P  —  {Oq,  O i,  . . . ,  O7 },  is  nonetheless  symmetric.  The  reason  for  this  is 
that  P  forms  a  group  under  the  set  E  of  the  4!  column  permutations.  For  example,  for  one 
such  column  permutation  o  =  4123 


f  Oo  0 1  02  03  0  4  05  06  07 

\  00  04  0  |  02  02  07  06  05 


( (3 104 03 CL)  (05  07 )• 


Proposition  3.29.  The  partition  ofYn  used  in  the  folklore  C/(l)  construction  is  symmetric. 


Proof.  The  folklore  construction  partitions  V„  into  2'!_1  pairs  of  complementary  vectors. 
Every  column  in  each  pair  contains  complementary  bits.  For  each  vector  pair  x  and  x,  any 
column  permutation  o  therefore  produces  a  pair  of  complementary  vectors  x'  and  x'.  Since 
each  vector  in  the  partition  is  unique  and  a  is  applied  to  all  vector  pairs,  the  permutation 
results  in  2n~  1  pairs  of  complementary  vectors.  ■ 


A  nonsymmetric  partition  of  V„  gives  rise  to  multiple  partitions  of  V„  under  the  set  of 
column  permutations.  The  exact  number  of  resultant  partitions  depends  upon  the  partition 
in  question,  but  is  bounded  above  by  n ! . 

Theorem  3.30.  Let  O  =  (9A(2g,n,2,t),  n  >  £,  he  a  linear  orthogonal  array,  and  let  F 
represent  the  set  of  distinct  correlation  immune  ( order  t)  generalized  Boolean  functions 
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/  G  S3qn,  where  q  =  2"  ‘ .  The  number  F  of  distinct  CI(t)  generalized  Boolean  functions 
that  can  be  constructed  using  O  and  Algorithm  4  is  bounded  by: 

n  2n~e  o  2n~l 

(2 ?-*)  <\F\<nl(2n~e)  . 

Proof.  Let  O  —  OA(2e,n,2,t),  £  <  n  —  1,  be  a  linear  orthogonal  array.  If  O  is  symmetric 
and  gives  rise  to  a  symmetric  partition  P  of  V„,  the  set  of  partitions  produced  by  column 
permutations  is  singular.  Since  O  is  a  linear  orthorgonal  array,  O  along  with  its  2n~(  —  1 
cosets  (each  of  which  also  are  OA(2,  n,  2,  t)  orthogonal  arrays)  therefore  cover  In  order 
to  ensure  correlation  immunity  (order  t)  we  assign  the  same  output  value  to  all  row  vector 
within  each  of  the  2n  ‘  orthogonal  arrays.  Assigning  a  unique  value  to  each  orthogonal 
array  establishes  the  maximum  size  of  the  image  of  /,  |/(V„)|  =  2"  1 .  For  each  of  the 
2n~ '  orthogonal  arrays  in  P  there  are  q  —  2"  1  choices  for  the  output  value,  which  in  turn 

t  2"~ ( 

establishes  the  stated  lower  bound  of  (2'7  )~  .  If,  on  the  other  hand,  the  partition  P  is 

nonsymmetric,  then  the  set  of  column  permutations  will  produce  several  distinct  partitions 
of  Vn.  Consider  the  extreme  case:  Suppose  O  contains  row  vectors,  each  of  which  has 
unique  Hamming  weight  and  each  column  of  O  is  also  unique.  In  this  case,  each  of  the  n ! 
column  permutations  of  O  would  produce  a  unique  orthogonal  array  O^’K  Each  of  these  is  a 
linear  orthogonal  array,  and  thus  along  with  its  cosets  gives  rise  to  a  unique  partition  of  Vn. 
Each  of  the  n  \  partitions  contain  2n  ‘  orthogonal  arrays,  so  the  maximum  size  of  the  image 
of  /  is  again  |/(V„)  |  =  2n~e .  For  each  of  the  2n~(  orthogonal  arrays  in  a  given  partition, 
there  are  q  =  2n~(  choices  for  the  output  value.  Hence,  as  before,  for  each  partition  there 

o  2”~^ 

are  (2n  )  possible  ways  of  assigning  OA-output  value  pairs.  Thus,  the  upper  bound 
for  the  total  number  of  CI(t)  generalized  Boolean  function  we  can  construct  with  O  and 
Algorithm  4  is  bounded  above  by  nl(2"~  )  .  ■ 

Given  the  construction  method  of  Algorithm  4,  the  maximum  number  of  output  values 
which  correlation  immune  generalized  Boolean  function  /  e  (.d d/f  can  achieve  is  2 n/m, 
where  m  is  the  size  of  the  linear  orthogonal  array  OAfn.n.  2.F).  We  use  this  fact  along  with 
the  Singleton  bound  to  establish  bounds  on  the  size  of  the  image  of  /. 

Theorem  3.31  (Singleton  bound  for  CI(t)  generalized  Boolean  functions).  Let  f  e  SSqn, 
be  a  CI(t)  generalized  Boolean  function  constructed  using  a  linear  orthogonal  array 
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0A(m.n.2.t)  and  Algorithm  4.  Then  the  size  of  the  image  off  is  bounded  by 


2d~l<\f(Vn)\<2n-t, 

where  d  is  the  minimum  distance  of  the  linear  code  associated  with  the  linear  orthogonal 
array. 


Proof  Let  O  be  the  linear  orthogonal  array  OA(m,n,2,t )  which  was  used  to  construct  / 
in  accordance  with  Algorithm  4.  Let  C  denote  the  linear  code  associated  with  O,  let  |C| 
denote  the  number  of  codewords  in  C,  and  let  d  denote  minimum  distance  for  C.  Then 
m  =  |C|.  C  is  a  linear  code,  therefore  it  is  simple.  From  Theorem  4.20  [19,  p.  79]  we  know 
that,  for  a  set  of  vectors  C  of  length  n  with  minimal  distance  d  and  strength  t 

sr  <  \C\  <sn~d+l, 

where  s  is  the  vector  alphabet  size  and  the  right-hand  side  bound  assumes  that  C  is  a  simple 
code.  Letting  s  =  2  we  then  have: 


21  <  Id  <  2n~d+l. 

Algorithm  4  partitions  V„  into  subsets  of  size  m,  each  of  which  is  subsequently  assigned  an 
output  value  from  Zq.  The  maximum  size  of  the  image  of  /  is  therefore  2 n/m  =  2'7/|C|. 
This  number  is  largest  when  |C|  is  smallest  and  vice  versa.  Therefore: 

2n-{n-d+ 1)  <  \f(yn)\  <  2n~r , 


which  establishes  the  stated  bounds  on  the  cardinality  of  the  image  of  /.  ■ 

Proposition  3.32  ( CI(t )  generalized  Boolean  functions  duality).  Let  O  be  an  OA(m.n.2.l) 
linear  orthogonal  array  and  let  C  be  its  corresponding  (n,m,d) 2  linear  code.  Let  C  be 
the  dual  code  of  C  and  let  O  represent  the  dual  orthogonal  array  associated  with  C  . 
Let  F  represent  the  set  of  correlation  immune  (order  t)  generalized  Boolean  functions  that 
can  be  constructed  using  O  and  Algorithm  4.  If  n  is  odd,  or  if  n  is  even  and  the  Hamming 
weight  of  at  least  one  of  O’ s  row  vectors  is  not  divisible  by  2,  then  there  exists  a  set  F  of 
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correlation  immune  generalized  Boolean  functions  which  can  be  constructed  using  O  . 


Proof.  This  is  a  direct  consequence  of  Theorem  3.20  and  the  existence  of  dual  codes.  Bi¬ 
nary  linear  (even  or  doubly-even)  self-dual  codes  occur  when  n  is  even  and  the  Hamming 
weight  of  each  codeword  is  divisible  by  2  or  4  respectively  [26,  p.  27].  By  stipulating  that 
either  n  be  odd,  or  n  be  even  and  O  contain  at  least  one  row  vector  which  is  divisible  by  2, 
we  ensure  that  C  is  not  a  self-dual  code.  This  means  that  a  distinct  O  linear  orthogonal 
array  exists  which  can  in  turn  be  used  in  conjunction  with  Algorithm  4  to  generate  F^.  ■ 

Proposition  3.33.  Let  u>\,  £  <n  —  1  and  q  <  2n~  When  constructing  correlation  im¬ 
mune  functions  using  Algorithm  4,  Cl  (2u)  functions  f  G  ^qn  exist  if  and  only  ifCI(2u  +  1) 
functions  f  G  ^+i  exist. 


Proof.  This  is  a  direct  consequence  of  Theorem  2.24  by  Hedayat,  Sloane  and  Stufken 
[19,  p.  28],  which  states:  An  OA(m,n,2,2u)  orthogonal  array  exists  if  and  only  if  an 
OA(2m.  n.  2. 2u  +  1)  orthogonal  array  exists.  In  the  interest  of  brevity,  we  omit  their  proof 
here.  The  interested  reader  may  refer  to  their  work  for  the  proof  of  this  orthogonal  array 
result.  ■ 


There  are  many  known  linear  orthogonal  arrays  which  are  suitable  for  constructing  higher 
order  correlation  immune  generalized  Boolean  functions  /  G  ^  Pdq  using  the  method  out¬ 
lined  in  Algorithm  4.  Using  [19]  and  [41]  we  have,  for  the  benefit  of  the  reader,  compiled 
an  (incomplete)  list  of  function  parameters,  n,  q  and  t,  along  with  the  parameters  of  corre¬ 
sponding  known  linear  orthogonal  arrays  in  Table  3.6.  Additionally,  several  of  these  linear 
orthogonal  arrays  can  be  found  in  Appendix  C. 
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Table  3.6:  Some  orthogonal  arrays  and  associated  generalized  Boolean  function  parameters 


n 

<?< 

cm 

04 

5 

4 

2 

04(8,5,2,2) 

6 

4 

3 

04(16,6,2,3) 

7 

16 

2 

04(8,7,2,2) 

7 

8 

3 

04(16,7,2,3) 

8 

16 

3 

04(16,8,2,3) 

9 

4 

5 

04(27,9,2,5) 

12 

4 

7 

OA(210, 12,2,7) 

15 

211 

2 

04(16,15,2,2) 

15 

28 

3 

OA(27, 15,2,3) 

15 

27 

4 

OA(28, 15,2,4) 

16 

211 

3 

04(32,16,2,3) 

16 

32 

7 

0A(2n,  16,2,7) 

18 

8 

9 

OA(215, 18,2,9) 

20 

211 

5 

O4(29,20,2,5) 

24 

214 

5 

O4(210,24,2,5) 

24 

212 

7 

OA(212,24,2,7) 

31 

226 

2 

04(32,31,2,2) 

32 

226 

3 

04(64,32,2,3) 

32 

221 

5 

OA(2n,32,2,5) 

32 

26 

15 

OA(226,32,2,15) 

3.4  New  From  Old  Correlation  Immune  Generalized  Boolean 
Functions 

In  his  original  paper  [40],  Siegenthaler  provided  a  construction  of  a  large  class  of  corre¬ 
lation  immune  (order  t)  functions  on  n  +  1  variables  by  concatenating  the  truth  tables  of 
two  n  variable  correlation  immune  (order  t)  Boolean  functions.  This  method,  along  with 
the  proof  of  its  correctness,  can  be  found  in  Cusick  and  Stanica’s  book  on  Cryptographic 
Boolean  functions  [1 1,  p.  74].  We  extend  here  their  theorem  (4.20)  so  that  it  applies  to  gen¬ 
eralized  Boolean  functions.  Before  doing  so,  it  is  however  necessary  for  us  to  generalize 
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Lemma  4.2  (f)  [11,  p.  56],  also  contained  in  their  aforementioned  monograph. 

Lemma  3.34.  Let  f  G  CLT  38qn  be  a  generalized  Boolean  function  and  letx  —  (x  i, . . .  ,xn)  G  V„ 
be  an  input  vector  of  f.  Let  y  =  . . .  ,*,-(,))  6  c  marfe  wp  of  an  arbitrary  choice  oft  of 

the  variables  xh  and  let  yo  =  (yt>  •  •  •  ,yf)  be  any  fixed  binary  t-vector.  Let  wt(f  |c)  denote 
the  number  of  occurrences  of  c  in  the  truth  table  of  f.  If  f  is  correlation  immune  of  order 
t,  then  for  all  y  and  for  each  yo,  Pr(f(x)  —  c|y  =  yo)  =  Pr(f(x)  —  c)  —  wty}c\ 


Proof.  Let  /  G  (.f  !dSqn  be  a  correlation  immune  (order  1)  generalized  Boolean  function. 
Then,  since  /  is  correlation  immune  of  order  t,  for  all  c  we  have 


„f  £ (  \  ^  Pr(y  =  y0n/(x)  =c)  1  Pr(f(x)=c) 

Pr(y  =  yo  |/(x)  =  c)  = - Pr(/(x)=c) - =  ^7  =►  My  =  Yo  n/(x)  =  c)  = - - - 


and 


^M/(x)  —  cly  — yo) 


M/(x)  =  cHy  =  y0) 
My  =  yo) 


M/(x)  =  c)  Pr(f(x)  =  c)  _  wtfflc ) 
2f  •  Pr( y  =  yo)  2f  •  2~r  2'1 


Theorem  3.35.  Let  x  =  (jc  | . . . . .  xn )  rmJ  suppose  that  we  have  correlation  immune  (order  t) 
generalized  Boolean  functions,  f\ ,  fi  G  -^qiv  such  that  Vc  G  /i(V„)  =  fi(yn),  Pr(/i(x)  = 
c)  =  Pr(f2(x)  —  c)  —  p.  Then  the  function  f  ofn  +  1  variables  defined  by 

f(x,xn+i)=xn+ifi(x)  +  (xn+i@l)f2(x)  (3.2) 

is  also  correlation  immune  of  order  t  and  satisfies  Pr(f(x)  —  c)  —  p. 

Proof  Let  y  =  (xl{  { j , . . .  ■x^,  f)  be  made  up  of  an  arbitrary  choice  of  t  of  the  variables,  Xj, 
and  let  yo  =  (y  i ,  •  •  •  ,yt)  be  any  fixed  binary  t-vector.  Then  since  f\  and  f2  do  not  depend 
on  xn+i  we  have  for  either  fixed  choice  of  the  bit  b,  and  i  =  I  or  2, 


Pdf i  =  c  |y  =  y0,*«+t  =  b)  =  Pr(fi  =  c  |y  =  y0)  =  Pr(fl  =  c ),  (3.3) 


where  the  second  equality  follows  from  our  hypothesis  that  fi  is  correlation  immune  of 
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order  t  and  using  Lemma  3.34  above.  Now  (3.2)  and  (3.3)  imply 


Pr(f  =  c\y  =  yo,^«+i  =  1)  =  Pr(fi  =  P ) 


and 

Pr(f  =  c\y  =  yo,xn+i  =  0)  =  Pr(f2  =  p) 


so  we  obtain 

Pr(f  =  c\y  =  y0n«+t  =b)=  Pr(f  =  c)=p. 

This  implies  that  the  value  of  /  is  independent  of  the  choice  of  any  subset  of  t  of  the  n+  1 
input  variables,  so  /  is  correlation  immune  of  order  at  least  t.  ■ 

Example  3.36.  Table  3.7  provides  an  example  of  generalized  Boolean  functions  which  was 
constructed  using  Theorem  3.35. 

Table  3.7:  A  Siegenthaler  constructed  C7(  1)  function  /  G 


¥4 

«0 

/ 

0000 

0 

0 

0 

0001 

1 

1 

3 

0010 

0 

1 

2 

0011 

1 

0 

1 

0100 

1 

0 

1 

0101 

0 

1 

2 

0110 

1 

1 

3 

0111 

0 

0 

0 

1000 

0 

1 

2 

1001 

1 

0 

1 

1010 

1 

1 

3 

1011 

0 

0 

0 

1100 

0 

0 

0 

1101 

1 

1 

3 

1110 

1 

0 

1 

1111 

0 

1 

2 

In  the  above  example  we  see  how  correlation  immune  (order  1)  Boolean  functions  can  be 
used  to  construct  new  correlation  immune  (order  1)  generalized  Boolean  functions.  Care 
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must  however  be  taken  to  ensure  that  all  stipulated  requirements  are  satisfied  by  the  two  se¬ 
lected  generalized  Boolean  functions  before  proceeding  with  the  construction.  To  illustrate 
the  point,  consider  the  following  example  in  Table  3.8: 

Table  3.8:  A  correlation  immune  generalized  Boolean  function  construction  failure 


v3 

fl() 

a\ 

/ 

000 

1 

0 

1 

001 

0 

1 

2 

010 

0 

1 

2 

Oil 

1 

0 

1 

100 

0 

0 

0 

101 

1 

1 

3 

110 

1 

1 

3 

111 

0 

0 

0 

In  this  case,  both  Boolean  functions  ciq  and  a\  are  C7(l),  yet  the  generalized  Boolean  func¬ 
tion  /  fails  to  be  correlation  immune.  The  cause  of  the  failure  lies  in  the  fact  that,  in 
order  for  the  generalized  Siegenthaler  construction  to  work,  Theorem  3.35  requires  that 
the  two  generalized  Boolean  functions  f\  and  f2  are  such  that  Vc  G  f\  (V„)  =  f2(Vn), 
Pr(/t(x)  =  c)  =  Pr(f2(x )  =c)=p.  In  this  instance,  /i(V„)  =  {1,2}  ^  {0,3}  =  /2(V„). 
This  disagreement  between  the  output  values  in  the  first  and  second  half  of  the  truth  table 
of  /  results  in  the  associated  conditional  probabilities  not  equaling  the  required  values.  For 
example,  Pr{x\  =  l|/(x)  =  3)  =  1. 

3.5  Necessary  and  Sufficient  Conditions  for  Correlation 
Immune  Generalized  Boolean  Functions 


Suppose,  as  depicted  in  Figure  3.1,  we  wish  to  design  a  g-ary  sequence  generator  that  uses 
k  linear  feedback  shift  registers  (LFSRs)  which  in  turn  feed  a  generalized  Boolean  function 
/  G  /(x)  =  Lylj24y(x),  where  aj  G  SS„. 
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Registers: 


fe&m- 


Figure  3.1:  q- ary  sequence  generator 


Suppose  further  that  we  wish  to  ensure  that  our  function  is  immune  to  correlation  attacks. 
Considering  the  problem  for  a  moment,  we  quickly  recognize  that  the  q- ary  nature  of  the 
output  sequence  does  not  provide  any  additional  security.  By  binary  expansion  of  each  of 
the  output  values  in  the  sequence,  an  attacker  could  simply  employ  a  divide-and-conquer 
approach  and  perform  k  separate  correlation  attacks,  one  on  each  of  our  function’s  k  con¬ 
stituent  Boolean  functions  aj.  Clearly  in  order  for  a  generalized  Boolean  function  /  G  c3  S$qn 
used  in  this  manner  to  be  considered  correlation  immune,  the  governing  Cl  criteria  must  be 
satisfied  by  each  of  the  constituent  Boolean  functions  a/,  0<j<k-l. 

Lemma  3.37.  Let  f  G  :Wln  be  a  correlation  immune  (order  t)  function  and  let  ¥„  represent 
the  set  of  binary  input  vectors,  x  =  (xn, . . .  ,xi).  Let  c  G  /(¥„)  be  an  output  value  of  f 
and  Vc  =  {x£  ¥„  :  /(x)  =  c}.  Let  y  —  (x;(  m  , . . .  ,X;(t\)  be  an  arbitrary  choice  oft  of  the 
variables,  xh  and  let  yo  =  (y  i , . .  .yt)  be  any  fixed  binary  t-vector.  Assume  that  there  exists 
a  partition  Vc  =  n{= ,  Wh  Wj  U  Wj  if  j,  and  for  cdl  W  G  {W\ , . . . ,  Wr}  and  for  each  yo, 
Pr(  y  =  yo  |  f\w  =  c)  =  2”r.  Then  for  all  U  =  Uic{i,2)...)r}Wf»  Pr(d/  =  yo\f\u=c)  =  2~f, 
for  each  yo- 

Proof  Let  /  G  SSqn  be  a  correlation  immune  (order  l)  function.  Let  c  G  /(¥„)  be  an 
output  value  of  /  and  let  Vc  =  {xG  ¥„  :  /(x)  =  c}.  Let  (Wi , . . . ,  Wr\  be  mutually  disjoint 
sets  which  partition  Vc  such  that  for  every  Wl  G  {Wj, . . . ,  Wr}  and  Vy  and  each  yo:  Pr( y  = 
yo  i  f\Wj)  —  2^r.  Without  loss  of  generality,  let  U  be  an  arbitrary  union  of  s  sets  chosen 
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from  { W\ IT,-},  where  2  <  s  <r.  Since  for  each  W,-  involved  in  U  and  Vy  and  each  yo: 
Pr(y  =  yo  |  f\wt  =  c)  =  2~r,  it  must  be  the  case  that  there  are  2_f  |W/|  vectors  x  G  Wu  which 
satisfy  each  condition  y  =  yo  for  each  subset  IT,.  The  subsets  IT,  are  disjoint,  therefore,  the 
total  number  of  vectors  which  satisfy  each  specific  condition,  y  =  yo,  is 


T  2f  2f 


1  5 


1 

2} 


U 


This  in  turn  means  that  Pr( y  =  yo  |  f\u  —  c)  —  2  \  regardless  of  our  choice  of  U.  ■ 

Theorem  3.38.  If  f  is  a  correlation  immune  ( order  t)  generalized  Boolean  function,  then 
all  of  its  constituent  Boolean  functions  are  also  correlation  immune  (order  t). 


Proof  Let  x  G  ¥„  and  let  /  G  (.d -Ytqn  be  a  correlation  immune  (order  t)  generalized  Boolean 
function,  where  /(x)  =  £^g2Jaj(x),  aj  G  SSn.  Suppose  c  G  /(¥„).  Let  c2(j)  represent 
the  jth  bit  of  the  binary  expansion  of  c,  such  that  /(x)  =  c  and  ay(x)  =  C2{j).  Since, 
c.'2 (./ )  G  F2,  for  each  function  aj,  the  binary  expansion  of  the  elements  of  /(¥„)  partition 
¥„  into  disjoint  sets  Vb(t)>  v0(2)»  •  •  • ,  V()(r)  and  V1(1),  V1(2), . . . ,  Vj(s),  such  that  r+s  =  |/(¥n)| 
and  for  all  x  G  Vo(y),  where  1  <  7  <  r,  a  f  x)  =  0  and  for  all  x  G  where  1  <  8  <  s, 
aj(x)  =  1.  Let  y  =  (x^, . . .  be  made  up  of  an  arbitrary  choice  of  t  of  the  variables,  Xj, 
and  let  yo  =  (yi,  •  •  •  -V/)  be  any  fixed  binary  /-vector.  Then,  since  /  is  correlation  immune 
(order  t ),  for  each  yo  and  for  every  c  G  /(¥„),  we  know  that  Pr( y  =  yo|/(x)  —  c)  =  2~f. 
This  in  turn  means  that  for  each  Vo(y)  and  each  Tps):  Pr( y  =  yo  |  f\v0(rj  (x)  =  0)  =  Pr( y  = 
yo  |  f\vQ{S)  (x)  =  0)  =  2~f.  Turning  our  attention  to  the  Boolean  function,  aj,  this  implies  that 
for  each  y0  and  every  V0(y)  and  Vl{5):  Pr( y  =  y0  |  aj\vm  (x)  =  0)  =  Pr(y  =  y0  |  af  Vq(S)  (x)  = 
0)  =  2-f.  This  can  be  viewed  as  a  relabeling  of  /’ s  outputs  from  c  to  C2(j).  If  it  were  not 
possible  to  succeed  in  doing  so,  it  would  mean  that  /  failed  to  be  CI(t)  for  one  or  more  of 
its  output  values  c.  Given  this  partitioning  of  aj  into  individually  CI(/)  components,  we  let 
Vq  =  (r)  and  Vi  =  U^jVj^  and  apply  Lemma  3.37  which  tells  us  that  for  each  yo, 

¥r(y  =  yo  |  aj\yQ(x)  —  0)  =  Pr( y  =  yo  |  aj\yx  (x)  =  1)  =  2~r,  thus  demonstrating  that  for  all 
j,  0  <  j  <  k  —  1,  aj  is  a  correlation  immune  (order  t)  Boolean  function.  ■ 

Theorem  3.38  guarantees  that  generalized  Boolean  functions  which  are  correlation  im¬ 
mune  are  not  susceptible  to  binary  output  decomposition  followed  by  correlation  attacks 
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carried  out  on  its  Boolean  function  components.  However,  since  cryptographers  may  wish 
to  construct  correlation  immune  generalized  Boolean  functions  using  correlation  immune 
Boolean  function  as  building  blocks,  we  would  also  like  to  establish  the  criteria  under 
which  such  functions  ensure  the  resultant  generalized  Boolean  function  is  correlation  im¬ 
mune.  As  previously  observed  in  Table  3.8,  the  fact  that  a  generalized  Boolean  function  / 
has  Boolean  functional  components,  all  of  which  are  correlation  immune,  is  not  sufficient 
to  ensure  that  /  itself  is  correlation  immune. 

Lemma  3.39.  Let  X  and  Y  be  rectangular  arrays,  each  containing  m  rows  of  binary  vectors 
of  length  n. 


*11 

*12  • 

*1« 

ytt 

yi2  • 

■  ■  yin 

*21 

*22  ' 

*2 n 

Y  = 

>’2I 

yi2  ■ 

■  ■  }'2n 

*m  1 

*m2 

%mn 

}’m  1 

}’m2 

ymn 

Let  Xj  and  y j  represent  the  fh  column  vector  of  each  respective  array.  Then,  X  and  Y 
contain  identical  multisets  of  row  vectors  if  and  only  if,  for  all  j,  1  <  j  <  n,  wt(xj)  — 
wt(jj )  and  the  pairwise  distances  between  column  vectors,  d(xj,  xk)  —  d(yj,  yk)  for  all 
combinations  j.k,  where  1  <j,k<n. 

Proof  (=>)  Let  X  and  Y  be  rectangular  arrays  each  of  which  contain  m  rows  of  binary 
vectors  of  length  n.  Let  the  row  vectors  of  X  and  Y  be  exhaustively  constructed  using  iden¬ 
tical  multisets  of  size  m.  Let  Xj  and  yv  represent  the  j11  column  vector  of  each  respective 
array.  For  each  array,  there  are  m !  orderings  of  the  row  vectors.  Without  loss  of  generality, 
select  one  such  ordering  for  X  and  one  ordering  for  Y .  Now,  X  and  Y  were  exhaustively 
constructed  using  row  vectors  taken  from  identical  multisets,  so  despite  any  possible  dif¬ 
ferent  orderings,  for  all  j,  1  <  j  <  n,  wt(xj)  —  wtfyf).  For  each  array,  X  and  Y,  we  now 
create  (j)  sub-arrays  X(j  k)  and  Y(j  k\  where  each  row  i,  from  1  to  m.  has  elements  (xjj.Xjf) 
or  ( yijiYik )>  respectively.  Since  X  and  Y  have  row  vectors  taken  from  identical  multisets  of 
size  m,  for  each  possible  combination  j  and  k,  1  <  j.k  <  n,  it  must  also  be  the  case  that 
each  sub-array  X(jjk)  and  Y(j  kj  form  identical  multisets  of  two  element  row  vectors.  In  or¬ 
der  for  d(xj,  xk))  f  d(yj,yk))  it  would  mean  that  X(  hk)  and  Yi  j  k}  had  different  multisets  of 
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two-element  row  vectors.  Since  this  is  not  the  case,  we  conclude  that  d(xj,xk )  =  d(yj,yk) 
for  all  combinations  j,  k,  where  1  <j,k<n. 

(*^=)  Let  X  and  Y  be  two  rectangular  arrays  each  containing  m  rows  of  binary  vectors 
of  length  n.  Let  xj  and  y 7  represent  the  jth  column  vector  of  each  respective  array,  and 
let  X  and  Y  be  such  that  for  all  j,  1  <  j  <  n,  wl(xj  ')  =  wt(yj)  and  for  all  combinations  of 
columns  j ,  k,  where  1  <j,k<n,d  (xj,xk)  =  d  (yj,yk).  For  each  array,  create  (2)  sub-arrays 
X(j  k^  and  Y(j  k)  where  each  row  i,  from  1  to  m,  has  elements  (xjj.Xik)  or  ( yij,yik )  respec¬ 
tively.  To  each  sub-array,  X^jx  and  Yihk]  associate  the  3-tuple  ( wt  (x7 ) ,  wt (xk').d(xj.xk)  ')  or 
(wt(yj),wt{yk),d(yj,yk)),  respectively.  Now,  d(xj,xk))  =  YL\xij®xik  and  d(yj,yk))  = 
L?=iyij®yik-  Therefore,  the  parity  of  the  bits  in  each  specific  column  of  row  i  differ  for 
each  bit  combination  (1  ©0  and  0©  1)  which  contributes  to  the  cumulative  distance  be¬ 
tween  the  column  vectors.  This  is  also  the  case  for  bit  combinations  (1  ©  1  and  0©0) 
which  do  not  contribute  to  the  cumulative  distance.  Consequently,  it  is  not  possible  to  ob¬ 
tain  two  similar  distance  values  between  column  vectors  using  different  bit  combinations, 
without  altering  the  respective  column  weights.  Our  3-tuples  (wt(xj),wt(xk),d(xj,xk)) 
and  (wt(yj):wt(yk),d(yj,yk))  are  therefore  unique  irrespective  of  row  vector  order.  Since 
wt(xj )  =  wt(yj)  for  all  i,  1  <  i  <  n  and  d(xj,xk )  =  d{yj,yk)  for  all  combinations  of 
columns  j,k,  where  1  <  j,k  <  n,  it  must  be  the  case  that  (wt(xj)1  wt(xk), d(xj,xk))  and 
( wt ( y;- ) .  wl (yk'j-dlyj.yk))  agree  for  all  Xtl  k)  and  Y(  j  k).  We  have  thus  shown  that  X  and  Y 
must  contain  the  same  multisets  of  row  vectors.  ■ 

Theorem  3.40.  Let  f  —  /1H/2  be  a  generalized  Boolean  function  created  using  the  gen¬ 
eralized  Siegenthaler  construction  in  Theorem  3.35,  such  that  f  € 

and  f\  and  /2  are  both  correlation  immune  ( order  t)  functions.  Let  /i(x)  =  Y_ji-J'{)2Lij(x) 
and  /2(x)  =  lj“j2^(x),  where  aj,bj  G  SSn  and  x  G  V„.  Then  f  is  correlation  immune 
(order  t)  if  and  only  if  for  all  j  and  h,  0  <  j,h  <k  —  1,  the  Boolean  functions  a 7  and  b7  are 
such  thatwt(sij)  =  wtihj)  and  the  pairwise  distances  c/(a7.  a/;)  =  J(b7,b/,). 

Proof.  (=^)  Let  /  G  be  a  generalized  Boolean  function  created  by  concatenating 

two  CI(t )  generalized  Boolean  functions  /i,/2  G  (Li d/)qn  in  accordance  with  Theorem  3.35. 
The  function  /  is  correlation  immune  (order  t ),  so  it  must  be  the  case  that  for  all  x  G  V/7 
and  all  output  values  c  G  Z9,  c  G  /i(V„)  n/i(V„),  and  Pr(f\(x)  =  c)  —  Pr(/2(x)  =  c).  Let 
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c2  (  j)  represent  the  jth  bit  of  the  binary  expansion  of  c,  such  that  for  0  <j<k-l,fi(x)  =  c 
and  aj(x)  —  cji  j)  and  /2(z)  =  c  and  bj( z)  =  t‘2 (./ ) •  Consider  the  two  2n  x  k  arrays  of  truth 
table  values  for  a  j  and  by. 


a0 

»i 

a*-  i 

fi 

ui,o 

01,1  " 

a\,k-\ 

/i,i 

«2,0 

02,1 

ai,k-\ 

h,i 

«3,0 

03,1 

03  ,k-\ 

h,\ 

U2",0 

02", 1 

02"X-1 

h\\ 

bo 

b, 

bk-\ 

h 

^1,0 

bi,i 

b\,k-\ 

/l,2 

bifl 

£2,1 

bl,k-l 

fl,2 

h,o 

^3,1 

b$.k 

^2",0 

ft2",l 

bi«.k-\ 

/2",2 

Since  the  probabilities  of  c  occurring  in  the  two  functions  must  be  equal,  the  number  of  in¬ 
stances  of  c  in  fi  and  f2  must  be  the  same.  This  in  turn  means  that  the  number  of  instances 
of  C2  occurring  as  a  row  vector  must  be  the  same  for  both  arrays.  By  Lemma  3.39  the  two 
arrays  are  such  that  for  all  j  and  h,  1  <  j,h  <  k—  1,  wl(Hj')  —  wt(bj'),  and  all  pairwise 
distances  J(a7,a/?)  =  d(b7,b/;). 


(<*=)  Let  f\  and  fi  be  two  n- variable  correlation  immune  (order  t)  generalized  Boolean 
functions.  Let  /i(x)  =  L^Ij^’a^x),  and  fl{x)  —  Ly=o2J£>7(x),  where  aj.bj  e  SSn  and 
x  G  V„.  For  all  j  and  h  ,  where  0  <  j,h  <  k  —  l,  let  the  Boolean  function  truth  tables 
be  such  that  wt(a7)  =  wt(bj)  and  J(a7,a/,)  =  J(b7,b/7).  This  ensures  that  each  function’s 
2”  x  k  array  of  Boolean  values  contain  the  same  multisets  of  binary  row  vectors.  For  each 
fc-long  binary  vector  C2  in  each  multisets,  there  exists  a  corresponding  value  c  (E  Zq  in 
respective  truth  tables  of  fi  and  f2.  Thus  if  the  frequency  of  each  distinct  binary  row  vector 
agrees  between  the  two  multisets,  so  too  does  the  frequency  of  each  value  c  in  fi  and  f2. 
We  therefore  conclude  that  for  all  c,  Pr(f\(x)  =  c)  —  Prifjix)  —  c).  Moreover,  since  f\ 
and  fi  also  agree  with  respect  to  dimension  and  correlation  immunity  order,  we  satisfy  the 
requisite  preconditions  under  which  the  generalized  Siegenthaler  construction  may  be  used. 
Carrying  out  the  construction  we  thus  create  the  generalized  Boolean  function  f  =  f\  \\fi, 
where  /  e  ^PSqn+l.  According  to  Theorem  3.35  this  function  is  correlation  immune  of 
order  t.  ■ 
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Theorem  3.41.  Let  f  G  CY  3dqn  be  the  generalized  Boolean  function  /(x)  =  £^C(l)2-/'a/-(x), 
where  0  <  j  <  k—  1,  aj  G  8$n  and  x  G  V„.  Then  f  is  correlation  immune  (order  t)  if  and 
only  if  all  Boolean  functions  cij  are  CI(t )  and  use  the  same  partition  P  of  V„  consisting  of 
q  orthogonal  arrays,  O  j,  each  of  strength  t. 

Proof  (=>)  Let  /  and  the  functions  aj  be  as  described.  Let  P  be  a  partition  of  Vn  con¬ 
sisting  of  q  orthogonal  arrays,  Oh,  0  <  h  <  q  —  1,  each  of  strength  t.  Suppose  that 
for  all  0}r  G  P  each  function  at  uses  the  partition  P.  Then  for  each  h  and  all  vectors, 

x  G  Oj7,  (ao(x),tfi(x), . . . ,afc_i(x))  is  a  unique  binary  vector  ci__,  and  r/o(x)  +2r/i(x)  -| - h 

2k~1ak-i{x)  —  c  G  Zq  is  thus  a  unique  output  value  for  /.  Consequently,  /  is  correlation 
immune  (order  t). 

(«=)  Let  /  G  (Y-'dSqt  be  a  correlation  immune  (order  t)  generalized  Boolean  function.  Then 
according  to  Theorem  3.9,  associated  with  /  there  is  a  partition  P  consisting  of  q  strength 
t  orthogonal  arrays.  Oh,  0  <  h  <q  —  \  ,  such  that  for  each  distinct  output  value  c/t  G  /(¥„), 
there  exist  an  Oh  such  that  Oj  =  (x  G  (9/,  :  /(x)  =  c/;}.  Since  /(x)  =  YqZo^aj(x)^  this 
means  that  for  each  c  and  all  Boolean  functions,  aj,  there  must  exist  an  Oh  such  that 
Oh  =  {xG  Oh  :  (ao(x),2rq(x),...,2^1ayt~i(x))  =  c/,}.  This  in  turn  means  that  each 
Boolean  function  cij  utilizes  the  partition  P.  Moreover,  by  applying  Lemma  3.37  to  P 
and  each  respective  Boolean  function  aj,  we  conclude  that  aj  is  CI(t).  ■ 


3.6  Correlation  Immunity  and  the  Walsh-Hadamard  Trans¬ 
form 

The  Walsh  transform  is  a  very  useful  tool  when  studying  Boolean  functions.  Cusick  and 
Stanica  provide  the  following  lemma  regarding  correlation  immunity  of  order  t  in  their 
book  on  Cryptographic  Boolean  Functions  and  Applications  [11]: 

Lemma  3.42.  [1 1,  p.  56] 

A  [Boolean]  function  /(x)  in  n  variables  is  correlation  immune  of  order  t,  1  <  t  <  n,  if  and 
only  if  all  of  the  Walsh  transforms 

Wf( w)  =  £  (_1)/W®*w  =  0,  1  <  Wf(w)  <  t. 

xe¥„ 
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It  is  certainly  possible  to  define  a  correlation  immunity  notion  based  on  the  Walsh- 
Hadamard  transform  for  generalized  Boolean  functions.  To  this  end,  we  say  that  a  gen¬ 
eralized  Boolean  function  /  G  -Wln  is  generalized  correlation  immune  of  order  t,  denoted 
gCI(t),  if  and  only  if  Jtf( w)  =  0,  where  for  all  w,  with  1  <  wt  ( w)  <  t.  One  naturally  won¬ 
ders  whether  or  not  this  concept  is  equivalent  to  the  probabilistic  paradigm  under  which  we 
have  thus  far  been  operating.  We  demonstrate  in  fact,  that  a  function  that  is  C/(  1),  is  also 
gCI(  1),  but  the  converse  is  in  general  not  true.  For  simplicity’s  sake,  we  consider  here  only 
the  case  when  t  —  1.  The  basic  approach  taken  in  the  theorem  that  follows  can  however 
also  be  used  to  prove  the  cases  when  t  >  1. 

Theorem  3.43.  Let  f  G  <(d :Wln  be  a  generalized  Boolean  function.  If  f  is  C/(  1),  then  f  is 

gcni). 


Proof  Let  /  G  L%qn  be  a  generalized  Boolean  function  and  let  w  G  V„  and  wt  ( wj  =  1. 

i 

i 

That  is,  w  =  (0, ...  ,0, 1,0, ...  ,0),  for  some  i.  Now, 


^/(w)  =  Ec/w(-i)w,‘ 


=  i  c/(,,,(-irx+  i 


£/(x)(_l)w-x 


=  £  Cc'(-i)w'x+  £  Cc(-i)w'x 


c=0 

c— 0 

x,/(x)=e 

*>/(x)=< 

Xi= 0 

*i  =  l 

q- 1 

q- 1 

=  £  V-  I  r 


c=0  c=0 

x,/(x)=e  x,/(x)=c 

Xj= 0  Xi=\ 

=  £  t?ocCc  -  £  riw -Cc  =  £  (vo c  -  vi c)Cc\ 

c=0  c=0  c=0 


where  r/oc  =  |{x|/(x)  =c,x,  =0}  andt7ic=  |{jc|/(x)  =  c.xi  =  1}.  Since  /  is  C/(l),  rfOc  = 
rjic  for  all  c,  therefore  Jff( w)  =0.  ■ 


Unfortunately,  as  we  previously  discovered  when  exploring  balancedness  in  Chapter  2, 
things  in  the  generalized  setting  have  a  tendency  of  becoming  a  bit  more  complicated  than 
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that  which  one  experiences  in  the  classical  Boolean  environment.  Such  is  also  the  case 
when  it  comes  to  correlation  immunity.  While  the  probabilistic  point  of  view  we  have 
thus  far  been  operating  under  is  consistent  with  the  correlation  immunity  notion  using  the 
generalized  Walsh-Hadamard  transform,  the  converse  is  in  general  not  true.  To  see  that  this 
is  indeed  the  case,  consider  the  following  generalized  Boolean  function  /  e 


Table  3.9:  A  non  — Cl  ( 1)  function  /  €  ^  where  Hf(  w)  =  0 


¥4 

0000 

0001 

0010 

0011 

0100 

0101 

0110 

0111 

1000 

1001 

1010 

1011 

1100 

1101 

1110 

1111 

/ 

0 

0 

0 

2 

0 

2 

2 

0 

2 

0 

1 

3 

3 

1 

0 

0 

The  4th  root  of  unity  is  £4  =  i.  Letting  w  G  {0001,0010,0100, 1000},  we  compute  Mf( w), 
which  yields  the  following: 

3ff{ 0001)  =  i°  +  i°  +  i°  +  r  +  r  +  /'  +  i3  +  i°  -  i°  - 1-  -  r  -  i°  -  i°  -  i3  -  il  -  i°  =  0, 
J#f(  0010)  =  i°  +  i°  +  i°  +  i2  +  i2  +  i°  +  i3  +  /'  —  i°  —  i2  —  i2  —  i°  —  il  —  i3  —  i°  —  i°  =  0, 

Jtf(  0100)  =  i°  +  i°  +  i°  +  i2  +  i2  +  i°  +  il  +  i 3  — 1°  —  i2  —  i2  —  i°  —  i3  —  il  —  i°  — 1°  =  0, 

and 

( t  nnnt  —  ;0  ,  ;0  ,  -0  ,  -2  ,  -0  ,  ;2  ,  -2  ,  -0  -2  -0  ;1  -3  ,-3  -1  -0  -0  _  n 

c/ofy  luuu  J  —  l  ~r  l  ~r  l  l  l  T ~  l  ~T~  l  \  l  —  l  —  l  —  l  —  l  —  l  —  l  —  l  —  l  —  U. 

Since  the  generalized  Walsh-Hadamard  transform,  equals  0  for  each  Hamming 

weight  1  vector  w,  the  function  /  is  gCI(  1 ).  However,  by  inspection,  one  quickly  ob¬ 
serves  that  /  is  not  C/(l).  For  example,  the  two  occurrences  of  the  output  value  1  both 
occur  in  the  second  half  of  the  truth  table.  Thus,  when  considering  the  most  significant 
(lexicographically  ordered)  bit  position  i  =  4,  one  must  conclude  that  /  cannot  be  C/(l). 

3.7  Rotation  Symmetric  Correlation  Immune  General¬ 
ized  Boolean  Functions 

Having  discussed  several  methods  of  constructing  correlation  immune  generalized  Boolean 
functions,  we  now  turn  our  attention  to  correlation  immune  generalized  Boolean  functions, 
which  are  also  rotation  symmetric.  Rotation  symmetric  Boolean  functions  were  introduced 
by  Pieprzyk  and  Qu  in  1999  [33],  though  they  appear  in  the  work  of  Filiol  and  Fontaine  [15] 


54 


as  idempotents,  the  preceding  year.  These  functions  remain  invariant  under  cyclic  rotations 
of  their  input  vectors,  and  are  of  particular  importance  as  components  of  cryptographic 
hashing  algorithms,  where  they  reduce  computational  complexity  by  allowing  reuse  of  re¬ 
sults  obtained  in  previous  iterations  of  an  algorithm.  Building  upon  our  previously  devel¬ 
oped  foundation  of  orthogonal  array  aided  constructions,  we  will  in  this  section  extend  the 
approach  and  demonstrate  a  method  for  constructing  correlation  immune  and  rotation  sym¬ 
metric  generalized  Boolean  functions.  Before  embarking  on  this  endeavor,  we  cover  the 
following  requisite  material. 

We  adopt  Cusick  and  Stanica’s  notation  and  generalize  the  definition  of  rotation  symmetric 
Boolean  functions  from  [11,  p.  121]. 

Let  ( xi,X2 ,  ■  ■  ■  ,xn)  €  ¥„.  For  1  <  k  <  n  we  define 


\xi+K  if  i+K<n, 

Pn(xi)  =  < 

[Xi+K-n  tf  l+K>n, 

which  naturally  extends  to  vectors. 

Definition  3.44.  A  generalized  Boolean  function  /  is  rotation  symmetric  (RotS)  if  and  only 
if  for  any  (x\,X2,  ■  ■  ■  ,xn)  G  ¥„, 

f(Pni,Xh...,Xn))  =/0l,...  ,Xn), 


for  any  1  <  K  <  n. 

Definition  3.45.  [19,  p.  88]  A  linear  code  is  called  cyclic  if  whenever 

(on  ci  , . . . ,  C£_2,  Ck—  i )  (3.4) 


is  a  codeword,  then  so  too  is 

(cj ,  C2,  •  •  • ,  t ,  Co)  (3.5) 

(that  is,  codewords  are  invariant  under  cyclic  rotations). 

Definition  3.46.  [19,  p.  88]  An  orthogonal  array  (9,  denoted  OA(m,n,  2,  t ),  is  cyclic  if  it  is 
linear  and  whenever  (3.4)  is  a  row  vector  in  O ,  then  (3.5)  is  a  row  vector  in  O. 
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As  is  customary  in  coding  theory,  we  concisely  represent  a  set  of  cyclic  vectors  using 
a  single  vector  in  angled  brackets.  Let  x  =  (xi,X2,  ■  ■  ■  ,xn),  then  for  K  =  1  to  n,  (x)  = 
p„(x  i, *2,.  For  example:  (0001)  =  {1000,0100,0010,0001}.  Additionally,  given  a 

vector  x  e  ¥„,  we  define  its  cyclic  period,  px,  where  1  <  px  <  n,  as  px  —  |  (x)  | . 

Definition  3.47.  A  partition  of  V„  which  remains  invariant  under  the  set  of  column  rota¬ 
tions  p„  (xj),  1  <  k  <  n,  is  called  a  rotation  symmetric  partition. 


Several  of  the  previously  discussed  linear  codes  and  linear  orthogonal  arrays  were  cyclic. 
Our  new  construction  of  RotS  and  CI(t)  generalized  Boolean  functions  relies  upon  cyclic 
orthogonal  arrays.  To  highlight  our  approach,  we  revisit  a  familiar  orthogonal  array. 


Example  3.48.  Suppose  we  wish  to  construct  a  RotS  and  C/(  1)  generalized  Boolean  func¬ 
tion  /  e  We  begin  again  with  the  linear  orthogonal  array  Oq  =  OA( 2,4,2, 1).  As 

seen  in  Example  3.28,  this  orthogonal  array  is  symmetric  and  thus  must  also  be  RotS.  As 
before,  we  list  Oq  along  with  its  7  cosets: 


Oq  — 


O4  — 


0000 

1111, 

1000 

0111, 


01  = 


05  = 


0  0  0  1 
1110, 

0  0  11 
110  0, 


02  = 


0  0  10 
110  1, 


06  = 


0  10  1 
10  10, 


03  = 


0  10  0 
10  11, 


07  = 


10  0  1 
0  110. 


In  order  for  /  to  be  both  RotS  and  CI(  1),  we  must  first  be  able  to  partition  V„  is  such  a  way 
that 

1.  Each  subset  of  the  partition  forms  an  orthogonal  array,  and 

2.  The  partition  must  be  rotation  symmetric. 

The  first  task  is  accomplished  using  the  previously  outlined  partitioning  technique  which 
employs  a  linear  orthogonal  array  along  with  its  cosets,  each  of  which  are  orthogonal  arrays 
in  their  own  right.  However,  in  order  to  satisfy  the  second  requirement,  we  select  as  our 
starting  point  a  cyclic  orthogonal  array.  Moreover,  once  the  cosets  have  been  formed,  we 
group  them  in  such  a  way  as  to  ensure  that  each  group  of  orthogonal  arrays  contains  all 
vectors,  x  e  V4  from  the  same  cyclic  class,  (x).  Having  done  so,  we  then  map  all  vectors 
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within  each  group  to  the  same  output  value,  7Lq.  Given  that 


(0001)  =  {0001,0010,0100,1000}  (0011)  =  {0011,0110,1100,1001} 

(1110)  =  {1110,1101,1011,0111}  (0101)  =  {0101,1010}, 

we  can  for  example  achieve  our  goal  using  the  following  mapping: 


{Oq  — >  0,  {0\10i1 0 3,  04}  — >■  1 ,  G>6  — ^  3,  {05, 07}  — >  2}. 


Doing  so  produces  the  RotS  and  C/(  1)  generalized  Boolean  function  in  Table  3.10 
Table  3.10:  A  RotS  and  CI(  1)  generalized  Boolean  function  /  G  <£ 


v4 

/ 

0000 

0 

0001 

1 

0010 

1 

0011 

2 

0100 

1 

0101 

3 

0110 

2 

0111 

1 

1000 

1 

1001 

2 

1010 

3 

1011 

1 

1100 

2 

1101 

1 

1110 

1 

1111 

0 
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Algorithm  5  RotS  and  Cl  it)  generalized  Boolean  function  construction 

1 :  Select  a  cyclic  linear  orthogonal  array  Oo  =  OAim.  n.  2.1),  where  m  =  2*  and  n>  t. 

2:  Store  row  vectors  of  00  to  array  V. 

3 :  Create  an  array  of  arrays,  P. 

4:  Create  two  arrays  F  and  I. 

5 :  Store  1  in  I. 

6:  for  /  =  1  to  2"  —  1  do 
7 :  x  =  <2 

8 :  if  x  £  V  and  x  $  P  then 

9:  Construct  set  of  cyclic  vectors  (x). 

10:  Compute  px  =  |  (x)  | . 

1 1 :  Store  (Px ,  (x) )  to  P. 

12:  end  if 

13:  i  +  + 

14:  end  for 

15:  Sort  P  such  that  (Px ,  (  x))  tuples  appear  in  ascending  order  with  respect  to  Px. 

16:  for  j  =  0  to  length. P(outer)  —  1  do 
1 7 :  cnt  —  0 

1 8 :  for  k  —  1  to  P[j]  [0]  —  1  do 

19:  if  />[7] [A:]  ^  V  then 

20:  for  h  —  0  to  m  —  1  do 

21:  vh  =  V[h]®P\j][k\ 

22:  Store  Vfj  to  V 

23:  end  for 

24:  cnt  +  + 

25 :  end  if 

26:  k+  + 

27 :  end  for 

28:  store  cnt  to  /. 

29:  ;  +  + 

30:  end  for 

3 1 :  Set  q  length. I 

32:  Create  set  —  {0, 1, ... ,q—  1} 

33:  start 0 

34:  end m—  1 

35 :  for  i  —  0  to  q  —  1  do 

36:  Select  an  output  value  q  G  'Lq. 

37 :  for  k  =  start  to  end  do 

38:  Store  ( V [At] , c# )  toF. 

39:  end  for 

40:  start  <—  end  +  1 

4 1 :  end  G-  end  +  /[/]  •  m 

42:  end  for 

43 :  Sort  tuples  of  F  such  that  input  vectors  appear  in  lexicographic  order. 
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Proof  of  Correctness  of  RotS  and  Cl  it)  Generalized  Boolean  Function  Construction: 

Suppose  we  wish  to  construct  a  RotS  and  CI(t)  generalized  Boolean  function  /  G  S8qn 
using  Algorithm  5.  As  was  the  case  with  Algorithm  4,  we  begin  by  selecting  a  suit¬ 
able  linear  orthogonal  array.  In  this  case,  however,  we  stipulate  that  the  orthogonal  array 
O o  =  OA(2,n,2,t),  (n  >  i),  must  also  be  cyclic.  To  ensure  the  function  is  correlation  im¬ 
mune,  Algorithm  5  retains  the  general  approach  of  partitioning  using  Oq  along  with 
its  cosets,  all  of  which  also  are  orthogonal  arrays.  However,  in  order  to  also  achieve  rota¬ 
tion  symmetry,  the  way  in  which  we  go  about  creating  and  grouping  these  cosets  has  been 
slightly  modified.  For  each  vector  x  G  Y„  \  Oq,  we  construct  the  set  of  vectors,  (x) .  For  each 
unique  cyclic  class, (x),  we  compute  its  associated  period,  px  =  |(x)|  and  store  (pXl  (x))  to 
an  array  of  arrays,  P.  Once  this  task  has  been  accomplished,  we  sort  the  tuples  of  P  such 
that  the  px  values  appear  in  increasing  order.  Using  vectors  in  P.  Algorithm  5  then  forms 
the  2"  '  —  1  cosets  of  Oq  in  the  familiar  manner.  Oq  is  a  simple  linear  orthogonal  array  and 
its  row  vectors  form  a  subgroup  of  V„.  Using  Oq  along  with  its  cosets,  the  algorithm  there¬ 
fore  creates  a  partition  of  V„.  Each  coset  within  the  partition  is  unique  and  in  accordance 
with  Lemma  3.10,  also  is  an  OA(m,n,2,t)  orthogonal  array.  There  is  however,  no  guaran¬ 
tee  that  the  cosets  are  cyclic.  Consequently,  in  order  to  ensure  that  cosets  which  contain 
vectors  belonging  to  the  same  cyclic  class  get  grouped  together,  the  algorithm  successively 
builds  cosets  using  the  vectors  within  the  same  cyclic  classes  in  P,  and  keeps  track  of  the 
membership  boundaries  of  the  vectors  within  groupings  of  cosets  using  the  index  array  I. 
To  demonstrate  that  this  method  of  grouping  orthogonal  arrays  produces  a  rotation  sym¬ 
metric  partition  of  V„,  we  argue  as  follows:  Oq  is  a  cyclic  orthogonal  array,  hence  for  every 
row  vector  y  G  Oq,  Oq  contains  the  set  (y)  of  every  vector  which  is  a  cyclic  rotation  of  y. 
Select  a  vector  x  such  that  x  G  V„  \  Oq,  and  form  the  cyclic  set  (x),  containing  all  possible 
vectors  which  are  cyclic  rotations  of  x.  Let  z  =  y©x.  Suppose  that  for  some  K,  where 
l  <  K  <n,  there  exist  a  cyclic  rotation  p*  such  that  (z)  (j  B,  where  B  is  the  set  defined 
as  £  =  {y  ©x |  y  G  (y),xG  (x)}.  p,f(z)  =  p,f(y©x)  =  p,f(y)  ©p,f(x).  Therefore,  in  order 
for  p,f(z)  ^  B  it  would  imply  that  either  p,f(y)  (y)  or  p,f  (x)  ^  (x),  neither  of  which  by 
definition  are  possible.  We  therefore  conclude  that  the  set  of  vectors  B  is  cyclic.  Given  the 
fact  that  Oq  is  a  subgroup  of  V„,  it  clearly  must  contain  a  minimum  of  two  cyclic  classes, 
namely  (0),  as  well  as  at  least  one  additional  class  (y),  where  y  G  Oq.  However,  the  way 
in  which  we  construct  the  cosets  guarantees  that  the  vectors  from  all  cyclic  classes  in  Oq 


59 


are  added  to  all  the  vectors  in  the  cyclic  class  (x).  Moreover,  since  Oq  contains  the  identity 
element  0  we  can  be  assured  that  each  vector  within  a  given  cyclic  class  (x)  will  appear  in 
a  coset  of  Oq. 

Remark  3.49.  In  order  to  avoid  constructing  duplicate  orthogonal  arrays,  the  algorithm 
takes  care  to  check  after  each  iteration  whether  or  not  the  next  vector  in  the  generating 
set  (x)  occurred  in  the  previously  constructed  coset.  For  example,  If  Oq  =  {0000, 1111} 
and  we  were  using  the  set  (0101)  =  {0101, 1010}  to  form  a  set  of  cyclic  cosets  of  Oq ,  the 
first  coset  constructed  (using  0101)  would  be  {0101, 1010}.  However,  the  second  vector 
1010  G  (0101)  already  appeared  in  the  coset  produced,  therefore  the  algorithm  would  not 
use  it  again,  but  rather  skip  it,  determine  that  the  set  (0101)  had  been  exhausted,  and  write 
the  index  of  the  last  vector  in  the  set  of  cosets  to  the  index  array,  7,  before  proceeding  to 
the  next  array  element  in  P. 

Algorithm  5  terminates  once  the  number  of  vectors  in  the  set  V  is  2n.  At  this  point  it  will 
contain  2'7~  ‘  orthogonal  arrays  and  be  a  partition  of  V„.  The  index  array  7  keeps  track  of 
how  many  cosets  each  cyclic  class  (x)  produces,  thus  enabling  the  required  grouping  of 
orthogonal  arrays.  By  counting  the  number  of  elements  in  7,  the  algorithm  determines  the 
number  of  distinct  functional  output  values,  q,  achievable  in  the  construction.  By  subse¬ 
quently  assigning  the  same  output  value,  c,  G  Z9,  for  i  —  0  to  q  —  1,  to  every  vector  within  a 
set  of  orthogonal  arrays,  the  algorithm  not  only  ensures  the  function  is  correlation  immune 
(order  t),  but  that  it  also  is  rotation  symmetric. 

Example  3.50.  Suppose  we  wish  to  construct  a  RotS  and  C7( 2)  generalized  Boolean  func¬ 
tion  /  G  We  first  select  the  cyclic  04(8,7,2,2)  linear  orthogonal  array: 

0  0  0  0  0  0  0 
10  1110  0 
0  10  1110 

_  0  0  10  1  1  1 

10  0  10  11 
110  0  10  1 
1110  0  10 
0  1110  0  1. 

The  Algorithm  begins  by  storing  the  row  vectors  of  Oq  to  the  array  V.  It  initializes  an  array 
of  arrays  P  and  initializing  an  array  7  with  the  value  1.  For  each  vectors  x  G  V7  \  Oq,  the 
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algorithm  checks  that  x  ^  P,  then  constructs  the  cyclic  set  of  vectors  (x).  It  subsequently 
computes  the  period  Px  =  |(x}|  and  stores  (Px,  {(x)})  to  P.  Once  all  cyclic  sets  of  vectors 
that  are  not  in  Oo  have  been  constructed  and  stored  in  P  along  with  their  associated  periods, 
the  algorithm  will  begin  to  use  the  vectors  within  these  cyclic  classes  to  construct  the  cosets 
of  Oo-  Since  in  this  example  n  is  prime,  all  vectors  in  V7  are  either  period  1  or  period  7.  For 
any  orthogonal  array,  there  are  only  two  period  1  vectors,  namely  0  and  1.  The  0  vector  is 
the  additive  identity  in  G  =  (V7,  ©),  and  thus  must  be  in  Oo  given  the  fact  that  Oo  is  a  linear 
orthogonal  array  and  Oo  <  G.  However,  as  luck  would  have  it,  1  is  not  in  Oo-  This  means 
that  the  first  entry  in  P  will  be  (1,  {111111111111111})  and  the  first  set  of  cyclic  cosets 
which  Algorithm  5  constructs  will  only  include  the  following  cyclic  orthogonal  array: 

111111  1 
010001  1 
101000  1 

^  1101000 

1  0110100 

001101  0 
000110  1 
1000110. 

Once  the  last  of  these  vectors  has  been  added  to  the  set  V,  the  set  of  generating  vectors 
within  this  entry  of  P  have  been  exhausted.  The  algorithm  will  then  store  the  number  of 
cosets  which  were  created,  in  this  case  1,  to  the  index  array  /,  before  moving  on  to  the  next 
entry  in  P,  which  is: 

(7,  {0000001, 1000000,0100000,0010000,0001000,0000100,0000010}). 

Using  these  vectors,  the  algorithm  in  turn  constructs  and  stores  the  following  seven  cosets 
to  V  : 


o2  = 


000000  1 
1011101 
0101111 
0010110 
1001010 
1100100 
1110011 
0111000, 


O3  = 


1000000 
0011100 
1101110 
101011  1 
000101  1 
010010  1 
0110010 
1111001, 


O4  = 


0100000 
1111100 
0001110 
011011  1 
110101  1 
100010  1 
1010010 
0011001, 


05  = 


0010000 
1001100 
0111110 
000011  1 
101101  1 
1110101 
1100010 
0101001, 
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06  = 


0  0  0  1  0  0 
10  10  10 
0  10  0  11 
0  0  1111 
10  0  0  0  1 
110  110 
11110  1 
0  110  0  0 


0 

0 

0 

1 

1 

1 

0 

1, 


O']  = 


0  0  0  0  1  0  0 

10  110  0  0 
0  10  10  10 
0  0  1  0  0  1  1 

10  0  111  1 
1  1  0  0  0  0  1 

1110  110 
0  11110  1, 


08  = 


0  0  0  0  0  1  0 

10  11110 
0  10  110  0 
0  0  10  10  1 
1  0  0  1  0  0  1 

110  0  11  1 
1  1  1  0  0  0  0 

0  1110  11. 


Once  this  is  done,  the  algorithm  will  save  the  value  7  to  /  and  then  move  to  the  next  entry 
in  P ,  which  happens  to  be: 


(7, {000001 1,1000001, 1100000, 01 10000, 001 1000, 0001 100, 00001 10}). 


Using  this  set  of  vectors,  the  algorithm  produces  the  final  seven  cosets: 


O9  = 


000001  1 
1011111 
0101101 
0010100 
1001000 
1100110 
1110001 
0111010, 


Oio  = 


100000 

001110 

110111 

101011 

000101 

010010 

011001 

111100 


1 

1 

1 


0 

1 

0, 


1  10000 
011110 
100111 
111011 
010101 
000010 
001001 
101100 


012  — 


0  1  1  0  0  0  0 

110  110  0 
0  0  11110 
0  10  0  11  1 
11110  1  1 
10  10  10  1 
10  0  0  0  1  0 
0  0  0  1  0  0  1, 


o  13  = 


0  0  110  0 
1  0  0  0  1  0 
0  110  11 
0  0  0  1  11 
10  10  0  1 
111110 
110  10  1 
0  10  0  0  0 


0 

0 

0 

;  014= 

1 

0 

1, 


0  0  0  1  1  0 
10  10  0  0 
0  1  0  0  0  1 
0  0  110  1 
1  0  0  0  1  1 
110  10  0 
111111 
0  110  10 


0 

0 

0 


1 

0 

1, 


0  0  0  0  1  1  0 

10  110  10 
0  10  10  0  0 
0  0  1  0  0  0  1 

10  0  110  1 
1  1  0  0  0  1  1 

1110  10  0 
0111111. 


Once  these  cosets  have  been  saved  to  V,  the  algorithm  stores  the  value  7  to  I.  Having  stored 
all  2n  vectors  to  V,  the  loop  that  builds  cosets  terminates.  Using  the  array  /,  the  algorithm 
then  determines  the  number  of  sets,  q ,  into  which  the  orthogonal  arrays  were  grouped.  For 
each  of  these  groups,  it  chooses  a  value  from  c;  G  Zq,  i  =  0  to  q  —  1.  Using  I  it  computes 
the  start  and  end  boundries  for  each  group  of  vectors  and  for  k  =  start  to  end  within  each 
group  it  saves  (V[k],Ci)  to  a  function  array  F.  Due  to  the  considerable  size  of  the  function, 
we  omit,  in  the  interest  of  space,  a  complete  table  of  input  and  output  values  and  represent 
instead  the  mapping  created  by  the  algorithm: 
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{' Oo  co,Oi  C\,{02,...,0%}  y  C2,  {Og, . . . ,  O15}  t  C3} , 


that  guarantees  that  our  function  is  both  RotS  and  C/( 2). 

Lemma  3.51.  Given  a  cyclic  linear  orthogonal  array  O  =  QA(2n_1,/z,2,f),  the  remaining 
set  of  vectors  Yn  \  O  also  forms  a  cyclic  orthogonal  array,  O  =  0/4(2"  2.1). 

Proof  The  proof  uses  an  argument  similar  to  the  one  found  in  Lemma  3.25.  Let  O 0  be  a 
cyclic  linear  orthogonal  array  0A(2"-1,«,  2,t).  Since  Oo  is  a  linear  orthogonal  array,  the 
row  vectors  of  Oo  form  an  order  2"_1  abelian  subgroup  of  V„  under  ©.  Select  a  vector 
a  G  Yn  not  present  in  Oo  and  add  it  in  turn  to  each  row  vector  in  Oo  thereby  forming 
the  coset,  0\,  to  Oq.  Then  OqOO\  =  V„  and  according  to  Lemma  3.10,  0\  is  also  a 
OA(2n~ 1 .  n.  2.  l )  orthogonal  array.  Since  Oo  is  cyclic,  for  all  row  vectors  x  G  Oo,  (x)  C  Oo- 
Thus,  for  all  remaining  row  vectors  y  G  V„  \  Oo  it  must  be  the  case  that  (y)  C  Yn  \  Oo, 
proving  that  Oi  also  is  a  cyclic  OA(2”~l  ,n.2.t)  orthogonal  array.  ■ 

Theorem  3.52.  Let  Oq  =  \jA(2f.p.2.l)  be  a  cyclic  linear  orthogonal  array,  where  p  is 
prime  and  p  >  i  +  1.  If  1  f  Oq,  then  it  is  cdways  possible,  using  Algorithm  5,  to  create  a 
RotS  and  CI(t )  generalized  Boolean  function,  f  G  CY Sdqp,  where  q  is  at  least  3. 


Proof  Oq  is  a  linear  orthogonal  array,  so  it  along  with  its  cosets  will  partition  Yp  into 
2 P~e  >  4  orthogonal  arrays  of  strength  t.  Since  Oq  is  cyclic,  1  is  a  period  1  vector,  and 
1  f  Oq,  we  can  form  the  cyclic  coset  0\  using  1.  Although  the  remaining  2P~I>  —  2  cosets 
may  not  be  cyclic,  by  assigning  distinct  output  values  c;  G  Z3  for  i  —  0  to  2  such  that: 

{0o  -A >  Co,  01  — >  Cl,  {(?2,  •  •  • ,  02p-l_\  }  — >  C2}, 

we  produce  a  RotS  and  Cl(t  ')  generalized  Boolean  function  /  G  (Y !Yfp.  In  the  event  there 
exist  5  additional  cyclic  cosets  in  the  set  {O 2, . . . ,  02P-e_  1},  then  we  can  construct  a  RotS 
and  CI{t )  generalized  Boolean  function  /  G  SSqp,  where  q  <3  +  s.  ■ 

Definition  3.53.  We  adopt  Cusick  and  Stanica’s  notion  from  [11,  p.  113]  and  denote  gn  as 
the  cardinality  of  the  partition  of  Yn  into  cyclic  classes. 
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Cusick  and  Stanica  provide  the  following  formulae  for  gn  in  Theorem  5.68  and  Corollary 
5.69  of  [11,  p.  127].  We  make  use  of  these  result  in  subsequent  theorems  and  thus  include 
their  result  here,  albeit  without  proof.  The  interested  reader  may  refer  to  their  cited  work 
as  well  as  [45]  and  [46]  for  proofs  and  further  discourse  on  the  stated  results. 

Theorem  3.54.  [11,  p.  127] 

t|  n 

where  0(t)  is  Euler’s  phi-function. 

Ifn  =  p,  p  prime,  it  possible  to  obtain  a  simpler  expression.  In  this  case, 

gp  =  W^  =  2+2-^. 

t|  n  1 

Lemma  3.55.  The  number  of  possible  RotS  generalized  Boolean  functions  in  P$qn  is  at 
most  g(n)g(n\ 

Proof.  In  order  to  construct  a  RotS  generalized  Boolean  function,  we  partition  V„  into 
cyclic  classes,  of  which  there  are  g(n).  All  vectors  within  each  cyclic  class  is  mapped  to 
the  same  output  in  Zq.  For  each  partition  there  are  q  choices  for  the  output  values.  Thus, 
all  told  there  are  qs possible  functions.  Since  q  <  g{n).  The  result  is  established.  ■ 

Lemma  3.56.  If  a  linear  orthogonal  array  of  the  form  614(2.  p.  2, 1),  where  p  is  an  odd 
prime,  is  used  to  construct  a  cyclic  partition  ofVp  containing  2P~  1  orthogonal  arrays, 
then  the  maximum  obtainable  number  of  subsets  is  1  +  — — — . 


Proof.  Since  p  is  prime,  each  vector  in  Vp  is  either  period  1  or  period  p,  and  Theorem  3.54 
tells  us  that  there  will  be  a  total  of  2  +  cyclic  classes.  The  construction  requires  that 
each  orthogonal  arrays  consists  of  two  vectors  x  6  Yp  and  its  complement  x.  Each  cyclic 
class  of  vectors  (x)  is  therefore  grouped  with  (x),  thus  causing  the  total  number  of  subsets 
in  the  partition  to  be: 


2  +  ■ 


2P  —  2 


/2=  1  + 


2 P~l  -  1 
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Theorem  3.57.  The  number  of  possible  RotS  and  C/(  1)  generalized  Boolean  functions, 
f  G  “Y  F$qp,  q  <  1  +  2‘  p~l ,  constructed  using  a  linear  orthogonal  array  of  the  form 
04(2.  p.  2, 1),  where  p  is  an  odd  prime  is: 


1  + 


2p  '  -  1\  '  + 


2P— 1  —  1 


Proof  Observe  that  for  all  p,  the  number  of  orthogonal  arrays,  2r>  1 ,  in  the  partition  is 
strictly  greater  that  1  +  2‘  .  By  applying  Lemmas  3.55  and  3.56  the  result  immediately 

follows.  ■ 

Remark  3.58.  A  surprising  consequence  of  Conjecture  2.26  should  it  prove  to  be  true,  is 
that  balanced  and  symmetric  generalized  Boolean  functions,  where  q  >  2,  do  not  exist. 
This  however,  is  not  the  case  with  balanced  and  RotS  generalized  Boolean  functions. 

Example  3.59.  Consider  constructing  a  4-variable  RotS  generalized  Boolean  function.  We 
partition  V4  into  its  6  cyclic  classes:  (0000),  (1111),  (0101),  (0001),  (0011),  (0111), 
of  respective  periods  1, 1,2, 4, 4, 4.  Therefore,  by  mapping  the  classes  of  input  vectors  to 
output  values  in  Z4  in  the  following  manner,  we  create  a  balanced  RotS  generalized  Boolean 
function  /  e  kY 

{{(0000),  (1111),  (0101)}  — cq,  (0001)  — >  ci,  (001 1)  — c2,  (01 11)  — ^  c3 } , 

where  c;,  with  i  —  0  to  3,  are  distinct  values  in  Z4. 

Lemma  3.60.  For  an  odd  prime  p  and  k>  2,  it  is  not  possible  to  partition  Yp  into  k  equally 
sized  cyclic  subsets. 


Proof  Since  p  is  prime,  the  only  possible  periods  for  vectors  in  Yp  are  1  or  p.  The  only 
two  period  1  vectors  in  Yp  are  0  and  1.  All  remaining  vectors  have  period  p.  We  wish 
to  partition  Yp  into  k  subsets,  each  of  which  is  cyclic.  All  vectors  within  a  given  cyclic 
class  must  therefore  be  contained  in  the  same  subset.  However,  since  k  >  2  and  p  is  an  odd 
prime,  there  is  no  way  in  which  to  distribute  0  and  1  among  the  k  subsets  which  will  ensure 
they  all  are  of  equal  cardinality.  ■ 
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Theorem  3.61.  There  are  no  balanced  and  RotS  generalized  Boolean  functions  f  G  ^ SSqp, 
for  odd  prime,  p,  and  q  >  2. 

Proof  The  result  is  an  immediate  consequence  of  Lemma  3.60.  ■ 
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CHAPTER  4: 

Avalanche  Criteria  for  Generalized  Boolean  Functions 


War  is  the  realm  of  uncertainty. 
Information  is  the  resolution  of 
uncertainty.  Cryptology  is  the  gateway 
between  these  entropy  states. 

Carl  von  Clausewitz,  Claude  Shannon, 
and  yours  truly 


4.1  Introduction 

It  is  important  that  functions  that  are  used  in  cryptographic  applications  are  resistant  to 
attacks  involving  the  use  of  knowledge  of  the  input  to  infer  anything  about  the  output.  In 
the  preceding  chapter  we  examined  correlation  immunity  properties  of  generalized  Boolean 
functions.  We  will  now  explore  the  so-called  “avalanche  effect”  whereby  a  small  change 
in  the  input  of  a  function  results  in  a  large,  but  in  some  sense  uniform,  change  to  the  output 
of  the  function.  Such  a  condition,  now  referred  to  as  the  strict  avalanche  criterion  was  first 
defined  by  Webster  and  Tavares  [50]  in  their  research  on  designing  good  Substitution  boxes 
(S-boxes).  This  area  of  research  is  of  particular  relevance  to  generalized  Boolean  functions 
as  well,  in  part  due  to  their  potential  use  as  components  in  look-up  tables  and  S-boxes  of 
future  cryptographic  systems. 


Definition  4.1.  [11,  p.  31]  A  Boolean  function  /(x)  in  n  variables  is  said  to  satisfy  the 
strict  avalanche  criterion  (SAC)  if  changing  any  one  of  the  n  bits  in  the  input  vector  x 
changes  the  output  of  the  function  for  exactly  half  of  the  2"  1  possible  input  vectors,  x. 
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4.2  A  Strict  Avalanche  Criterion  Construction  for  Boolean 
Functions 

Given  the  fact  that  we  will  be  examining  input  vectors  which  differ  by  a  single  bit  along 
with  their  associated  functional  output  values,  it  is  very  natural  to  make  use  of  hypercubes. 
The  idea  of  enlisting  the  aid  of  hypercubes  in  the  study  of  SAC  functions  is  admittedly  not 
original.  It  was  first  adopted  by  Biss  in  1998  [1],  albeit  with  a  combinatorial  approach  and 
not  the  graph  theoretic  point  of  view  which  we  adopt  here. 

Definition  4.2.  [9,  p.25]  A  hypercube  of  dimension  n,  denoted  Hn,  is  the  graph  whose 
vertex  set  is  the  set  of  n  long  binary  vectors  x  e  ¥„  and  where  two  vertices  are  adjacent  in 
the  graph  if  they  differ  by  exactly  one  bit. 

Example  4.3.  Below  we  depict  the  hypercubes,  H\  and  Hi.  Notice  that  adjacent  vertices 
within  each  graph  differ  by  one  bit: 


1  11  01 


There  is  a  simple  recursive  method  by  which  hypercubes  can  be  built.  H2  is  obtained  by 
taking  two  copies  of  H\  and  connecting  the  corresponding  (similarly  labeled)  vertices  in 
both  graphs.  The  vertex  labels  are  then  updated  as  follows:  In  the  first  copy  of  H\,  append 
0  to  the  front  of  each  vector  x,  thereby  obtaining  the  new  label  ,”0x”.  For  the  second  copy 
of  H 1  append  1  to  the  front  of  each  vector,  thus  producing  the  new  vector  ”lx”. 

We  represent  a  Boolean  function  /  e  08 n  using  the  77 -dimensional  hypercube  Hn  =  (¥„.  E), 
where  ¥„  is  the  vertex  set  and  E  is  the  edge  set  of  the  graph.  Denote  e  =  { x; .  x/, }  as  an 
edge  in  the  graph,  where  Xj,xh  e  ¥„  are  distinct  vertices  in  Hn.  We  label  each  vertex  x  e  ¥„ 
with  the  tuple  (x,/(x)),  where  /(x)  e  F2.  For  each  edge  £  e  E,  we  label  £  with  the  value 
1  if  f(xj)  =  /(x/,)  and  with  0  otherwise. 

Example  4.4.  Adopting  this  approach  we  represent  the  below  Boolean  function  /  e  0§2 
using  the  depicted  labeled  graph  H2: 
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0 


V2  / 


11,1 


Labeled  H2  : 


10,1 


01,0 


00,0 


00  0 
01  0 

10  1 

11  1 


Having  established  a  graph-theoretic  frame  of  reference  from  which  to  work,  we  first  con¬ 
sider  the  conditions  under  which  our  labeled  hypercube  will  satisfy  the  SAC  feature  for 
Boolean  functions.  All  vertices  differing  by  exactly  one  bit  in  Hn  are  connected  by  an 
edge.  Moreover,  should  any  pair  of  such  vertices  agree  with  respect  to  their  output  values, 
the  edge  between  them  is  labeled  with  a  value  of  1 .  Given  the  fact  that  the  total  number  of 
edges  in  a  hypercube  is  2 "_1n,  it  is  clear  that  under  this  Boolean  function  model  paradigm, 
a  Boolean  function  will  be  SAC  if  and  only  if  the  sum  of  the  edge  set  labels  of  its  associated 
graph  Hn  equals  2 'l~2n.  We  refer  to  labeled  hypercubes  which  satisfy  this  requirement  as 
SAC  hypercubes. 

When  attempting  to  construct  SAC  Boolean  functions,  one  can  use  the  fact  that  hypercubes 
can  be  constructed  recursively  to  one’s  advantage.  By  utilizing  two  appropriately  chosen 
SAC  hypercubes  Hn  \,  Hn  2,  which  once  connected  will  have  2n  1  newly  formed  edges  la¬ 
beled  with  l’s,  (in  other  words,  half  of  Hn  1  and  Hn  2’s  corresponding  vertices  agree  with 
respect  to  their  output  values),  the  newly  formed  hypercube  Hn+ 1  will  also  be  SAC.  In  order 
to  be  in  a  position  to  carry  out  such  constructions,  we  must  first  analyze  and  derive  the  SAC 
hypercube  "base  case"  if  you  will.  We  do  so  by  contemplating  how  the  vertices  of  these 
graphs  can  be  labeled  with  output  values  in  order  to  obtain  the  requisite  edge  label  sum. 
Considering  first  H\ ,  we  see  that  there  clearly  is  no  way  in  which  this  can  be  accomplished, 
since  it  only  contains  one  edge.  Turning  our  attention  to  H2,  we  consider  the  number  of 
different  ways  this  labeling  can  be  carried  out. 

Theorem  4.5.  There  are  12  possible  SAC  labelings  of  the  2  dimensional  hypercube. 

Proof.  Without  loss  of  generality,  we  choose  to  begin  labeling  at  the  lower  right  vertex 
and  proceed  counter-clockwise  around  H2.  Given  the  vertex  labeling  vector  y  =  3qy2.y3.y4> 
where  i  —  1  to  4  and  y,-  e  F2,  the  labeling  scheme  will  thus  be  as  follows: 
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For  n  >  2,  we  will  use  the  Hn  label  vector  w  —  y||z,  where  y  and  z  are  labeling  vectors  for 
hypercubes  Hn_ 


There  are  a  total  of  Y,f=o  (t)  —  16  possible  vectors  y,  which  we  represent  using  the  fol¬ 
lowing  cyclic  classes: 

(0000) = {0000} 

(0001)  =  {0001,0010,0100, 1000} 

(0011)  -  {0011,0110,1100,1001} 

(1110)  =  {1110,1101,1011,0111} 

(0101)  =  {0101,1010} 

<1111} = {1111}. 

To  determine  whether  a  labeling  satisfies  our  requirements,  we  evaluate  y  as  follows: 

n 

i=  1 

where 

{37+1  if  i  +  l  <n, 

yi+l-n  lf  l+l  >»• 

If  this  sum  equals  2,  then  y  is  acceptable,  otherwise  it  is  not.  Among  the  possible  labelings, 
0000  and  1111  will  of  course  not  work,  and  neither  will  the  labelings  from  the  set  (0101). 
The  remaining  12  labelings  represented  here  by  their  cyclic  classes  (0001),  (0011),  and 
(1110)  all  satisfy  the  requirement  we  seek.  Hence,  any  one  of  them  when  applied  to  Hi 
will  produce  a  SAC  hypercube  of  dimension  2,  and  thus  also  represent  a  SAC  2-variable 
Boolean  function.  ■ 


Remark  4.6.  Using  the  labeling  y  =  001 1  produces  the  SAC  hypercube  Hi  and  associated 
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Boolean  function  depicted  in  Example  4.4. 


As  previously  suggested,  we  can  use  two  appropriately  chosen  2-dimensional  SAC  hyper- 
cubes  to  construct  a  3-dimensional  SAC  hypercube.  In  order  to  ease  the  selection  task  we 
demonstrate  a  quick  verification  procedure  which  takes  advantage  of  our  consistent  labeling 
scheme.  Let  yi  and  y2  be  two  of  the  12  SAC  labeling  schemes  for  H2.  In  order  to  determine 
whether  or  not  they,  once  connected,  will  produce  a  3-dimensional  SAC  hypercube,  we  eval¬ 
uate  the  two  vectors  using  the  following  label  comparator  function,  /( yi ,  y2)  =  wt  (y  i  ©y2). 
The  function  compares  label  values  at  corresponding  indices  using  XOR.  Hence  similar 
values  fail  to  contribute  anything  to  the  Hamming  weight  of  the  resultant  vector  whereas 
dissimilar  label  values  add  1.  Consequently,  if  in  our  case  /( yi,y2)  =  2  (namely  half  of 
the  vertices),  then  given  the  fact  that  each  of  the  original  H2  hypercubes  were  at  the  onset 
SAC,  one  can  be  assured  that  the  sum  of  the  edge-set  labels  for  the  resultant  3-dimensional 
hypercube  #3  will  achieve  the  requisite  2"~2n  value  and  thus  satisfy  the  strict  avalanche 
criterion. 

Theorem  4.7.  There  are  a  total  of  56  labeled  SAC  3-dimensional  hypercubes  with  SAC 
labeled  H2  subgraphs. 

Proof.  According  to  Theorem  4.5,  there  are  12  2-dimensional  SAC  labeled  hypercubes. 
Each  of  these  has  two  edges  labeled  with  l’s  (and  2  with  0’s).  Moreover,  we  know  that 
in  order  for  the  labeled  H3  hypercube  to  be  SAC,  6  of  its  12  edges  must  also  be  labeled 
with  l’s.  Therefore  when  connecting  the  two  H2  hypercubes,  we  must  ensure  that  2  of  their 
4  corresponding  vertices  agree  with  respect  to  their  output  labels.  Using  the  previously 
described  comparator  function,  /( yi,y2)  =  wtfy\  ®yi),  we  could  of  course  exhaustively 
evaluate  the  relatively  small  set  of  label  vectors  to  obtain  the  stated  result.  However,  we 
choose  instead  to  arrive  at  the  answer  using  a  counting  argument.  We  evaluate  in  turn 
each  of  the  three  cyclic  classes,  (0001),  (0011)  and  (1110).  Beginning  with  (0001)  we 
consider  the  possible  vector  pairings  which,  when  added  modulo  2,  will  produce  a  vector 
of  weight  2.  Let  y  =  0001.  Since  y  is  of  Hamming  weight  1,  wtfy  ©  pK(  y))  =  2  for 
K  =  1  to  3.  There  are  4  vectors  in  (0001)  for  which  this  works,  so  there  are  4  ■  3  =  12 
such  possible  pairings.  Adding  a  Hamming- weight-2  vector  to  a  Hamming-weight- 1  vector 
always  produces  a  vector  of  Hamming  weight  1  or  3,  so  we  may  readily  disregard  this 
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possibility.  Let  z  =  1110.  Then  wt(y©  pK( z))  =  2,  for  K  =  1  to  3.  As  before,  there  are  4 
vectors  in  (0001)  for  which  this  works,  so  there  4-3  =  12  such  possible  pairings.  Observe 
that  y  =  1110,  so  the  analysis  is  identical  for  this  cyclic  class.  Finally  we  consider  (0011). 
Adding  two  Hamming  weight  2  vectors  together  produces  either  a  Hamming  weight  0,  2 
or  4  vector.  The  first  and  last  stated  possibilities  can  each  only  happen  once,  so  among  the 
4  possible  shifts  of  0011,  it  must  be  the  case  that  the  middle  condition  occurs  twice.  Thus 
there  are  4  ■  2  =  8  such  possible  pairings.  Having  exhausted  all  possibilities  within  the  3 
cyclic  classes,  we  tally  the  possible  pairings  which  yields  2(12  +  12)  +  8  =  56.  ■ 


Remark  4.8.  The  discourse  above  highlights  a  useful  SAC  H 3  construction  strategy.  Select 
a  vector,  y,  from  any  of  the  three  cyclic  classes  (0001),  (0011)  or  (1110).  If  wt(y)  =  1 
or  wt( y)  =  3,  then  y  along  with  a  cyclic  shift,  pK( y),  for  K  —  1  to  3,  will  always  ensure 
wt(y  ©p'f(y))  =  2.  If  wt(y)  —  2,  then  any  odd  shift  (k  =  1  or  K  =  3)  will  result  in  wt(y  © 
PK(  y))=2. 


Example  4.9.  Suppose  we  wish  to  construct  a  Boolean  function  f  E  & 3  which  satisfies 
the  strict  avalanche  criterion.  We  begin  by  first  selecting  two  H2  labelings  y  =  0011  and 
z  =  1001.  Before  proceeding,  we  confirm  that  E”=o>’r>’i+i  =  2  and  E”=o zi '  zi+ 1  =  2.  Once 
complete,  we  then  verify  that,  once  connected,  the  two  y  and  z  labeled  HS  hypercubes  will 
produce  a  SAC  6/3  labeled  hypercube.  Given  the  fact  that 

/(y,z)  =  wt(0011  ©  1001)  =  wt(1010)  =  2, 

we  can  be  assured  that  this  will  indeed  be  the  case.  We  thus  proceed  to  construct  the  3- 
dimensional  hypercube  H3  in  the  standard  manner.  Doing  so,  the  vertex  labels  for  each  Hi 
component  are  augmented  with  a  0  or  1  in  the  previously  described  manner,  however,  the 
associated  vertex  output  values  for  each  copy  of  H2  remains  unchanged.  Doing  so  produces 
the  following  graph  and  associated  function  truth  table: 


72 


0 


Yl  / 


011,1 


SAC  H3  :  i 


010,1 


001,0 


000,0 


000  0 
001  0 
010  1 
011  1 
100  1 
101  0 
110  1 
111  0 


Having  demonstrated  the  construction  technique,  we  codify  this  SAC  Boolean  function 
construction  in  the  following  algorithm: 


Algorithm  6  SAC  Boolean  function  construction 

1 :  Given  two  SAC  H„- 1  binary  output  labeling  vectors  y  and  z,  store  them  as  arrays  Y  and  Z. 
2:  m  <—  n  —  1 
3:  Y Length  «—  2"' 

4:  Edge «—  0 

5:  Initialize  two  arrays  W  and  F  of  length  2Y Length. 

6:  for  i  =  0  to  YLength  —  1  do 
7:  if  Y  [/]  ==  Z[(]  then 

8:  Edge  +  + 

9  :  end  if 

10:  end  for 

11:  if  Edge  =  2m~1  then 
12:  for  (  =  1  to  YLength  do 

13:  if  i  =  3  (mod  4)  then 

14:  W[t'-l]-s-y[i] 

15:  W[i]-t-y[i- 1] 

16:  W[YLength  +  i-l]^Z[i\ 

17:  W [Y Length  +  i\  Z[i  —  1] 

1 8 :  else 

19:  W[i-l]t-y[i-l] 

20:  W[YLength  +  i-l]^Z[i-l\ 

2 1 :  end  if 

22:  end  for 

23:  else 

24:  Return:  "Error!  The  vectors  will  not  produce  a  SAC  function." 

25 :  end  if 

26:  for  j  =  0  to  2Y Length  —  1  do 

27:  F[j\^U2.W[j}) 

28:  end  for 
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Proof  of  Correctness  of  the  SAC  Boolean  Function  Construction: 

The  algorithm  accepts  two  binary  output  labeling  vectors  x  and  y  for  two  hypercubes  of 
dimension  m  =  n  —  1,  storing  them  in  the  arrays  Y  and  Z.  Since  each  of  these  labelings 
produces  a  SAC  labeled  hypercube,  we  know  that  each  of  these  hypercubes  must  contain 
2 n~3(n  —  1)  1-labeled  edges.  There  will  be  a  total  of  2"~1  new  edges  formed  once  the 
two  hypercubes  are  connected.  Therefore,  if  half  of  the  corresponding  labeled  vertices 
in  each  hypercube  agree  with  respect  to  their  output  values  (labels),  then  2n  2  new  edges 
will  be  labeled  with  l'.v.  The  total  number  of  1-labeled  edges  in  the  resultant  n-dimcnsion 
hypercube  will  therefore  be 

2  ■  2n~3(n  —  1)  +  2n~2  =  2n~2(n  —  1  +  1)  =  2"~2n  — 

This  is  exactly  half  of  the  total  number  of  edges  of  the  newly-formed  hypercube.  We  there¬ 
fore  conclude  that  it,  along  with  its  corresponding  function  /  e  8§n,  must  be  SAC.  Thus, 
the  task  at  hand  is  to  ensure  that  exactly  half  of  the  corresponding  vertex  labels  in  Y  and  Z 
agree.  This  check  is  carried  out  in  steps  6  to  10  of  the  algorithm.  For  i  —  0  to  Y Length  —  1 
the  algorithm  compares  array  elements  Y[i]  and  Z[i\  and  increments  the  Edge  counter  if  the 
values  match.  If  Edge  =  2m_1,  the  construction  will  succeed  and  the  algorithm  proceeds 
to  build  the  function  truth  table.  The  adopted  labeling  schemes,  discussed  in  Theorem  4.5, 
stores  the  vector  labels  in  Y  and  Z  as  counterclockwise  4-cycles  of  Ho  planes,  so  before 
doing  so,  it  is  necessary  to  store  the  output  values  (labels)  in  lexicographic  order  in  an  ar¬ 
ray  W.  This  procedure  is  accomplished  in  steps  12  to  22  of  the  algorithm.  Finally,  using 
W,  and  for  j  —  0  to  2n  —  1 ,  the  algorithm  populates  the  truth  table  array  F  with  tuples, 
(j2-W[j]),  of  binary  input  vectors  and  q-ary  output  values. 

Remark  4.10.  The  similarity  between  the  Siegenthaler  correlation  immunity  construction 
outlined  in  Theorem  3.35  and  the  SAC  hypercube  construction  from  Algorithm  6  should 
not  be  lost  on  the  reader.  The  SAC  construction  not  only  uses  two  graphs  (functions)  of 
dimension  n  —  1  to  create  a  graph  (function)  of  dimension  n,  but  like  Siegenthaler’s  it  also 
requires  that  the  frequency  of  the  two  output  values  0  and  1  agree  between  the  dimension 
77—1  subgraphs. 

Example  4.11.  Suppose  we  wish  to  construct  a  SAC  and  C/(  1)  Boolean  function  /  e  ^3. 
We  begin  by  selecting  two  Ho  labeling  vectors  y  =  0001  and  z  =  0100. 
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Nota  bene:  The  reader  is  cautioned  that,  unlike  in  the  case  of  lexicographic  ordering,  our 
labeling  scheme  reverses  the  order  of  10  and  11.  Therefore,  although  by  inspection  y||z 
does  not  (based  on  symmetry)  immediately  appear  to  be  C/(  1),  it  in  fact  is. 

As  in  the  previous  example,  we  confirm  that  L/Lo>’;  Ai'+i  and  E"=o  Zi '  A+ i  both  equal  2  and 
that  /( y,z)  =  wt (0001  ©0100)  =  wf  (0101)  =  2.  Having  done  so,  we  then  construct  the  H3 
labeled  graph  below. 


V3  / 

000  0 
001  0 
010  1 
011  0 

100  0 

101  1 

1 10  0 

111  0 


Since  our  construction  used  y  and  z,  which  when  taken  in  concert  was  C/(  1),  we  were 
not  only  able  to  construct  a  SAC  labeled  hypercube,  but  it  also  turned  out  to  be  (order  1) 
correlation  immune.  Had  we  instead  chosen  the  vectors  u  =  0010  and  v  =  1000,  we  would 
have  produced  the  following  SAC  and  C/(  1)  hypercube. 


V.3  / 
000  0 
001  0 
010  0 
011  1 
100  1 
101  0 
110  0 
111  0 


Having  these  two  SAC  and  C/(  1)  labeled  /A,  graphs  at  our  disposal,  we  demonstrate  how 
to  go  about  combining  the  Siegenthaler  construction  of  Theorem  3.35  and  Algorithm  6  to 


75 


produce  a  Boolean  function  in  4  variables  which  is  both  SAC  and  C7(l). 

Let  /i  and  fj  be  the  Boolean  functions  corresponding  to  H$  i  and  H^  2-  Let  n  —  3  and 
w  =  y||z  and  t  =  u||v.  Before  merging  the  two  graphs  and  creating  the  function  in  n  +  1 
variables,  f  —  fi  ||/2,  we  ensure  the  following  hold: 

1.  //3.x  and  7/3.2  are  both  of  proper  dimension  and  SAC. 

2.  n/(w©t)  =  2"_1. 

3.  For  the  set  of  input  vectors  x  e  ¥3,  Pr(/i(x)  =  0)  =  Pr(f2(x)  =  0). 

4.  /1  and  /2  are  both  CI{  1). 

With  all  of  these  requirements  met,  we  proceed  with  the  construction  and  create  the  fol¬ 
lowing  labeled  hypercube  H\  along  with  its  associated  Boolean  function  truth  table: 


SAC&CI{l)H4  : 
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Table  4.1:  A  SAC  and  C/(  1)  Boolean  function  /  e  ^4 


V4 

/ 

0000 

0 

0001 

0 

0010 

1 

0011 

0 

0100 

0 

0101 

1 

0110 

0 

0111 

0 

1000 

0 

1001 

0 

1010 

0 

1011 

1 

1100 

1 

1101 

0 

1110 

0 

1111 

0 

4.3  A  Probabilistic  Strict  Avalanche  Criterion 

Motivated  by  the  work  of  Kam  and  Davika  on  permutation-substitution  networks  [22], 
as  well  as  that  of  Feistel  [14],  Webster  and  Tavares  first  investigated  the  strict  avalanche 
criterion  in  1986  in  an  effort  to  design  S-boxes  with  desirable  cryptographic  properties. 
Given  the  fact  that  Boolean  functions  are  often  employed  as  components  in  S-box  design, 
there  has  subsequently  been  a  great  deal  of  research  carried  out  on  SAC  Boolean  functions. 
In  this  section,  we  will  seek  to  extend  the  notion  of  the  strict  avalanche  criterion  to  that  of 
generalized  Boolean  functions.  Throughout  the  discourse  we  continue  to  build  upon  the 
graph-theoretic  framework  previously  developed  for  the  Boolean  case. 

The  strict  avalanche  criterion  requires,  in  the  Boolean  case,  that  each  output  bit  should 
change  with  probability  1/2  whenever  a  single  bit  of  a  binary  input  vectors  is  comple- 
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mented  [50].  In  the  generalized  Boolean  case,  we  modify  the  criterion  as  follows: 

Definition  4.12.  A  generalized  Boolean  function  /  e  SSqn  is  said  to  satisfy  the  probabilis¬ 
tic  strict  avalanche  criterion  (PSAC),  if  changing  any  one  of  the  n  bits  in  an  input  vector 
x  e  V„  results  in  the  output  of  the  function  remaining  invariant  with  probability  1  jq. 

Remark  4.13.  As  previously  demonstrated,  for  each  Boolean  function,  it  is  possible  to 
construct  a  corresponding  labeled  hypercube  Hn.  Consequently,  given  Definition  4.12,  a 
generalized  Boolean  function  /  e  ^ can  only  be  PSAC  if  q | 2n~ 1  n .  In  other  words,  the 
number  of  edges  in  the  graph  Hn  must  be  divisible  by  q. 


Example  4.14.  We  motivate  this  probabilistic  notion  of  SAC  using  the  following  example. 
Suppose  we  wish  to  construct  a  PSAC  generalized  Boolean  function  /  e  ^ SS\.  The  first 
task  is  to  verify  that  the  number  of  edges  in  H^,  namely  23_13  =  12,  is  divisible  by  3. 
This  being  the  case,  we  proceed.  As  with  the  previous  SAC  Boolean  function  construction, 
we  base  our  construction  on  two,  albeit  not  necessarily  PSAC  hypercubes,  of  dimension 
n  —  1.  The  function’s  output  values  are  now  in  Z3.  Suppose  the  two  ternary  label  vectors 
are  y  =  001 1  and  z  =  2200.  In  the  case  of  binary  vectors,  we  had  a  straightforward  method 
of  checking  the  suitability  of  a  given  label  vector  using  the  sum  of  the  binary  product  of  its 
bits.  In  the  generalized  Boolean  function  case,  we  utilize  the  same  basic  idea.  However, 
due  to  the  q- ary  nature  of  the  task  at  hand,  we  employ  the  Kronecker  delta  function  instead. 
Thus,  given  a  vector  y  =  (y uy2, . . .  ,yn),  let 


S(yi,yi+\)  = 


and 


yt+ 1  = 


0  if  yi^yi+i, 
1  if  yi=yi+ 1 

if  /'  +  1  <n. 
if  i  +  1  >  77. 


Having  previously  been  given  the  label  vectors  y  and  z,  we  are  now  capable  of  computing 
the  number  of  1 -labeled  edges  in  each  of  the  respective  Hi  graphs,  id  est 


n 


£5(yf,yi+ 1)  =  2 

i=0 


and 


n 


£5(zi,zi+i)  =  2. 
7—0 
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We  subsequently  need  to  check  the  number  of  newly  formed  edges  which  will  be  1 -labeled 
when  the  two  H2  graphs  are  connected.  Once  again,  we  need  to  revise  the  way  in  which  this 
is  accomplished.  Rather  than  using  the  XOR  operation  and  computing  wt{ y©z),  as  we  did 
when  dealing  with  Boolean  functions,  we  again  avail  ourselves  of  the  Kronecker  delta  and 
compute  instead  the  sum,  Y!i=\  5(y/,z,).  Doing  so,  we  discover  that  connecting  the  two  Hi 
graphs  will  not  produce  any  additional  1 -labeled  edges.  Thus,  the  total  number  of  1 -labeled 
edges  in  H3  will  be  4.  This  in  turn  means  that  the  probability  of  an  edge  being  1 -labeled, 
and  thus  neighbor  vertices  within  Hi,  having  the  same  output  label,  is  4/12  =  1/3.  The 
H2  labeled  subgraphs  will  therefore  produce  the  desired  result.  We  display  the  following 
PS  AC  labeled  hypercube  Hi,  along  with  its  associated  function  truth  table. 


Ili 

000  0 
001  0 
010  1 
011  1 

100  2 

101  2 

1 10  0 

111  0 


Having  demonstrated  our  approach  to  constructing  PSAC  generalized  Boolean  functions, 
we  now  codify  the  procedure  in  Algorithm  7. 


Remark  4.15.  Despite  being  rather  long.  Algorithm  7  is,  at  its  core,  relatively  straightfor¬ 
ward.  The  general  approach  mirrors  that  of  Example  4.13  and  involves  using  the  supplied 
label  vectors  to  count  the  number  of  1 -labeled  edges  within  each  subgraph  (hypercube  of 
dimension  n  —  1)  along  with  the  number  of  1 -labeled  edges  which  emerge  once  the  two 
subgraphs  are  connected.  If  this  number  ends  up  equaling  (2n~ln)/q,  q  being  the  number 
of  different  output  values  (labels)  of  the  generalized  function  /  €  then  we  know  that 

according  to  Definition  4.12,  /  will  satisfy  the  probabilistic  strict  avalanche  criterion. 
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Algorithm  7  PSAC  generalized  Boolean  function  construction 

1 :  m  <—  n—  1 

2:  if  2 m(m  +1)^0  (mod  q)  then 

3:  Print:  "Error!  Function  parameters  not  capable  of  producing  a  PSAC  function." 

4:  else 

5:  Store  two  Hn- 1  labeling  vectors. v  and  z  as  arrays  Y  and  Z. 

6:  Y Length  +-  2” 

7 :  Initialize  arrays  W  and  F  of  length  2Y Length. 

8:  ^Sections  <—  F length/ 4 

9:  YEdge  i—  0 

10:  ZEdge  <—  0 

1 1 :  TargetCnt  <—  (2m+1  (m  +  1  ))/<j 

12:  for  f  —  0  to  4 Sections  —  1  do 

13:  for  j  =  4k  to  4{k+ 1)  —  1  do 

14:  Endlndex  =  j+ 1 

15:  if  End  Index  >  4  then 

16:  Endlndex  =  Endlndex  —  4 

1 7 :  end  if 

18:  if  K [y]  ==  Y\endlndex]  then 

19:  YEdge  +  + 

20:  end  if 

21:  if  Zf  i'l  ==  Zf endlndex]  then 

22:  ZEdge +  + 

23:  end  if 

24:  end  for 

25 :  end  for 

26:  for  h  =  0  to  m  —  1  do 

27:  Stepsize  <r-  2,,+2 

28:  End^%% g-l 

29:  for  k  =  0  to  End  do 

30:  for  j  =  (2 k)Stepsize  to  (2k  -I- 1  )Stepsize  —  1  do 

31:  if  Y\j]  ==  Y[j  +  Stepsize]  then 

32:  YEdge  +  + 

33:  end  if 

34:  if  Z[/j  —  Z [  /  +  Stepsize]  then 

35:  ZEdge  +  + 

36:  end  if 

37:  end  for 

38:  end  for 

39:  end  for 

40:  EdgeCnt  =  YEdge  +  ZEdge 

4 1 :  Connect! 'arget  =  TargetCnt  —  EdgeCnt 

42:  if  EdgeCnt  >  TargetCnt  or  Connect! ’arget  >  2m  then 

43:  Print:  "Error:  y  and  z  cannot  produce  a  PSAC  function." 

44:  else 

45 :  for  i  —  0  to  2'"  —  1  do 

46:  if  F[i]  ==  Z[i]  then 

47:  EdgeCnt  +  + 

48:  end  if 

49:  end  for 

50:  end  if 

51:  if  EdgeCnt !  ==  TargetCnt  then 

52:  Print:  "Error:  y  and  z  cannot  produce  a  PSAC  function." 

53:  end  if 

54:  for  i  =  1  to  YLength  do 

55:  if  1  =  3  (mod  4)  then 

56:  W[f-l]<-F[i] 


W[i\^Y[i-  1] 
W[YLength  +  i- 
W\Y  Length +  i\ 


1  ]  +-  Z[i] 
-Z[«-l] 


W[i—  1]  +-  Y[i  —  1] 
W  [Y Length  +  i  —  1]  • 

end  if 
end  for 

for  j  =  0  to  2Y Length  —  Id 

m  <-  U2,w[j}) 

end  for 
Print:  F 
end  if 


Proof  of  Correctness  of  the  PSAC  Generalized  Boolean  Function  Construction: 

The  first  thing  the  algorithm  does,  in  step  2,  is  to  verify  that  the  number  of  edges,  2 n~1n,  of 
the  resultant  graph  is  divisible  by  the  number  of  desired  number  output  values  (labels),  q. 
If  this  is  satisfied,  the  algorithm  then  accepts  two  label  vectors  y  and  z,  each  of  length  2n~  1 , 
for  the  two  ELn-\  subgraphs  and  stores  them  in  arrays  Y  and  Z.  Following  some  required 
initialization,  the  algorithm  uses  Y  and  Z  and  begins  to  compute  the  number  of  1 -labeled 
edges  within  each  labeled  Hj  subgraph.  Our  adopted  labeling  schemes,  discussed  in  The¬ 
orem  4.5,  stores  vectors  labels  as  counterclockwise  4-cycles.  Consequently,  in  order  to 
begin  comparing  label  values  and  count  corresponding  1 -labeled  edges  within  each  vector, 
we  must  first  split  the  vectors  into  sub-vectors  of  length  4  and  cyclically  check  for  value 
agreements.  This  procedure  is  carried  out  in  steps  12  to  25  of  the  algorithm.  Once  this 
has  been  completed  the  algorithm  then  needs  to  check  output  value  agreement  for  corre¬ 
sponding  vertices  residing  in  different  planes  of  each  //n_i  subgraph.  This  procedure  is 
accomplished  in  steps  26  to  39.  Upon  completion  of  these  steps,  the  algorithm  now  has 
1-labeled  edge  counts  for  both  Y  and  Z  which  are  added  together  and  stored  as  EdgeCnt. 
EdgeCnt  is  then  subtracted  from  TargetCnt  (the  number  of  1-labeled  edges  required  in 
order  for  Hn  to  be  PSAC).  This  value  is  stored  as  ConnectTarget.  The  algorithm  then  per¬ 
forms  two  checks:  First,  it  ensures  that  EdgeCnt  <  TargetCnt.  Secondly,  it  verifies  that 
ConnectTarget  <  2'n,  where  2m  is  the  number  of  new  edges  formed  once  the  two  n  —  1 
dimension  hypercubes  are  connected.  If  either  of  these  conditions  fail,  then  Hn  cannot  be 
PSAC  and  no  further  computation  is  needed.  If,  on  the  other  hand,  these  conditions  are  sat¬ 
isfied,  the  algorithm  compares  the  elements  of  Y[i]  and  Z[i\  and  increments  EdgeCnt  each 
time  an  agreement  is  encountered.  Thus  once  complete,  the  algorithm  will  have  a  complete 
tally  of  the  number  of  1-labeled  edges  in  the  Hn  hypercube.  By  comparing  EdgeCnt  with 
TargetCnt  a  final  determination  can  then  be  made  as  to  whether  or  not  the  construction  will 
produce  a  PSAC  hypercube  of  dimension  n.  If  the  two  values  prove  to  be  equal,  steps  54  to 
64  of  the  algorithm  then  store,  in  lexicographic  order,  the  output  values  of  Y  and  Z  in  the 
array  VT.  Using  IT.  and  for  j  =  0  to  2”  —  1,  the  algorithm  finally  populates  the  array  F  with 
tuples,  (72,  W[j]),  of  binary  input  vectors  and  q- ary  output  values. 

Example  4.16.  Suppose  we  wish  to  construct  a  generalized  Boolean  function  /  €  Sf ' 
which  satisfies  the  probabilistic  strict  avalanche  criterion.  The  number  of  edges  in  H4, 
namely  24_14  =  32,  is  divisible  by  the  desired  number  of  output  values  which  is  4,  so  the 
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algorithm  proceeds  to  accept  and  store  two  label  vectors  for  dimension  3  hypercubes  from 
which  the  graph  will  be  constructed.  Suppose  the  label  vectors  are:  y  =  00120223  and 
z  =  20013022.  Y  and  Z  are  length  8  vectors,  so  they  will  each  contain  two  4-cycles.  The 
algorithm  checks  for  label  value  agreements  within  each  4-cycle  of  the  respective  vectors, 
saving  the  number  of  agreements  to  YEdge  and  ZEdge.  In  this  example  these  both  happen 
to  be  2.  The  algorithm  then  checks  for  agreements  between  labels  of  corresponding  vectors 
in  different  planes  of  each  labeled  H 3  graph.  Adding  these  agreements  to  the  respective 
counters,  the  tally  then  stands  at  YEdge  —  3  and  ZEdge  —  3.  The  algorithm  then  computes 
EdgeCnt  =  Y Edge  -{-ZEdge  and  ConnectTarget  =  TragetCnt  —  EdgeCnt.  Having  done 
so,  it  verifies  that  EdgeCnt  <  TargetCnt  and  ConnectTarget  <  2"  ',  where  TragetCnt  is 
the  requisite  number  of  1 -labeled  edges  in  a  PS  AC  quaternary  vertex  labeled  H4  hyper¬ 
cube.  If  either  of  these  conditions  were  to  fail,  the  algorithm  would  terminate.  In  this 
example  however,  both  checks  pass,  so  the  algorithm  proceeds  and  for  i  —  1  to  8  compares 
array  elements  Y[i]  and  Z[i],  incrementing  EdgeCnt  each  time  an  agreement  is  encountered, 
thus  yielding  EdgeCnt  =  8.  The  algorithm  now  compares  EdgeCnt  to  TargetCnt.  Since 
TargetCnt  =  32/4  =  8,  Y  and  Z,  do  indeed  create  a  PSAC  generalized  Boolean  function. 
Using  the  array  W .  the  algorithm  then  saves  the  output  labels  of  Y  and  Z  in  lexicographic 
order  and  subsequently  builds  the  truth  table  F  of  the  function.  The  labeled  hypercube 
along  with  its  corresponding  function  truth  table,  Table  4.2,  follow. 
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Table  4.2:  A  PSAC  generalized  Boolean  function  /  G 


V4 

/ 

0000 

0 

0001 

0 

0010 

2 

0011 

1 

0100 

0 

0101 

2 

0110 

3 

0111 

2 

1000 

2 

1001 

0 

1010 

1 

1011 

0 

1100 

3 

1101 

0 

1110 

2 

1111 

2 

Theorem  4.17.  A  generalized  Boolean  function  f  e  can  only  satisfy  the  probabilistic 
strict  avalanche  criterion  ifq\2n~ln. 


Proof  Let  /  e  be  a  PSAC  generalized  Boolean  function.  Let  Hn  =  (Yn,E)  be  the 
labeled  hypercube  corresponding  to  /,  where  V„  and  E  are  the  respective  vertex  and  edge 
sets  of  Hn.  Let  each  vertex  x  e  V„  be  labeled  with  an  output  from  7Lq  and  let  A(x)  be  the 
function  which  returns  the  label  for  x.  Moreover,  let  each  edge  e  =  {x,y}  e  E,  x,y  e  V„, 
be  labeled  with  a  value  v  G  F2,  such  that  v  =  5(A(x),  A(y)),  where  8  is  the  Kronecker 
delta  function.  By  Definition  4.12,  in  order  for  /  to  be  PSAC,  it  must  remain  invariant  with 
probability  l/q  for  the  set  of  2n  1  possible  input  vectors.  There  are  a  total  of  2" ~ 1  n  edges 
in  Hn.  Consequently,  if  /  is  PSAC,  it  means  that  (2"~1n)/q  of  the  edges  of  Hn  must  be 
labeled  with  l's.  This  in  turn  can  only  occur  if  q\2n  ln.  ■ 
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4.4  Global  and  Uniform  Avalanche  Criteria 

From  a  probabilistic  frame  of  reference  several  types  of  strict  avalanche  criteria  exist.  To 
illustrate  the  concept,  consider  the  following  labeled  #3  hypercube  which  represents  a  SAC 
Boolean  functions  /  €  ^3: 


For  each  vertex  in  the  graph,  we  compare  its  label  to  the  set  of  labels  of  its  neighbor  vertices. 
For  the  benefit  of  the  reader,  we  split  #3  into  subgraphs  and  omit  vertex  labels  other  than 
the  one  under  consideration. 


For  each  vertex  we  now  compute  the  probability  associated  with  the  label  remaining  in¬ 
variant  as  we  move  from  the  vertex  to  its  neighbors.  The  results  of  these  calculations  have 
been  compiled  in  Table  4.3. 
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Table  4.3:  Vertex  invariance  probability  for  a  SAC  Boolean  function 


Vertex 

Prob.  Invariance 

Prob.  Change 

000 

2/3 

1/3 

001 

2/3 

1/3 

010 

1/3 

2/3 

011 

2/3 

1/3 

100 

1/3 

2/3 

101 

2/3 

1/3 

110 

1/3 

2/3 

111 

1 

0 

The  hypercube  is  of  dimension  3,  and  each  vertex  is  thus  of  degree  3.  This  in  turn  means 
that  it  is  impossible  to  achieve  locally  balanced  invariance  and  change  probabilities  at  the 
vertex  level.  However,  summing  the  respective  columns  of  the  table  one  observes  that 
across  the  set  of  all  vertices,  the  probability  of  invariance  exceeds  that  of  the  probability  of 
change.  From  a  cryptographic  perspective  this  is  an  undesirable  property!  Consider  instead 
the  following  labeled  H 3  hypercube  which  also  represents  a  SAC  Boolean  function  /  e  Pffi-x, : 


To  aid  the  reader  we  again  split  H3  into  subgraphs: 
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As  before  we  calculate  the  probability  of  invariance  for  each  vertex  of  the  graph  and  display 
the  results  in  Table  4.4. 

Table  4.4:  Vertex  invariance  probability  for  a  globally  SAC  Boolean  function 


Vertex 

Prob.  Invariance 

Prob.  Change 

000 

2/3 

1/3 

001 

1/3 

2/3 

010 

1/3 

2/3 

Oil 

2/3 

1/3 

100 

2/3 

1/3 

101 

1/3 

2/3 

110 

1/3 

2/3 

111 

2/3 

1/3 

Inspecting  the  results  in  the  Table  4.4,  we  see  that  for  this  SAC  hypercube  and  its  associated 
function  the  probabilities  of  invariance  and  change  are  balanced  across  the  set  of  input 
vectors. 

Definition  4.18.  A  generalized  Boolean  function  /  e  SSqn  is  said  to  satisfy  the  global 
avalanche  criterion  ( GAC ),  if  it  satisfies  the  probabilistic  strict  avalanche  criterion  of  Defi- 


86 


nition  4.12  and, 


£  £iM/(x©e«)  =  /(*))  =  2"/$, 

xe¥„  i=l 

where  c,  is  a  unit  vector  with  the  ith  bit  equal  to  1  and  all  other  bits  0. 

Definition  4.19.  A  generalized  Boolean  function  /  e  (,Ct  S$qn  is  said  to  satisfy  the  uniform 
avalanche  criterion  (UAC),  if  for  all  1  <  i  <  n,  1  <  j  <  q,  and  x  e  V„, 

Pr{f{x®ei)  =  Cj)  = 

q 

where  cj  are  distinct  elements  of  7Lq  and  et  are  unit  vectors  with  the  ith  bit  equal  to  1  and 
all  other  bits  0. 


Example  4.20.  To  further  motivate  the  concept  of  the  uniform  avalanche  criterion,  we 
display  the  following  quaternary  output  labeled  H4.  which  represents  a  UAC  generalized 
Boolean  function  /  €  <£ For  lucidity’s  sake,  we  again  omit  the  edge  labels. 


1011,3  1001,2 


To  help  the  reader  verify  that  for  each  vertex  in  the  graph,  the  set  of  its  neighbors  take  on 
all  possible  output  values  (labels)  from  Z4  (with  equal  frequency),  we  split  the  graph  into 
16  subgraphs,  one  for  each  of  the  16  vertices  in  H4. 


87 


The  graph  paradigm  under  which  we  have  been  operating  makes  it  easy  (at  least  for  small 
examples)  to  verify  that  a  function  satisfies  the  various  avalanche  criteria.  However,  other 
points  of  reference  also  have  utility.  Consider  Table  4.5  which  depicts  the  UAC  function 
from  Example  4.20. 
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Table  4.5:  A  UAC  generalized  Boolean  function  /  £  ^ 


V4 

/ 

0000 

0 

0001 

2 

0010 

1 

0011 

3 

0100 

3 

0101 

1 

0110 

2 

0111 

0 

1000 

0 

1001 

2 

1010 

1 

1011 

3 

1100 

3 

1101 

1 

1110 

2 

mi 

0 

From  the  symmetry  exhibited  in  the  first  and  second  half  of  the  truth  table,  it  is  apparent 
that  /  also  is  a  concatenation  of  two  correlation  immune  (order  1)  generalized  Boolean 
functions  (Siegenthaler  construction).  The  fact  that  this  UAC  function  is  1-resilient  (C/(l) 
and  balanced)  is  not  a  coincidence!  Generalized  Boolean  functions  which  satisfy  the  uni¬ 
form  avalanche  criterion  exhibit  amazing  properties.  We  will  continue  to  explore  these 
properties  throughout  the  remainder  of  this  chapter. 

Theorem  4.21.  If  a  generalized  Boolean  function  in  cAf  8$qn  satisfies  the  uniform  avalanche 
criterion,  then  q  =  2  ,  where  i  <  n  —  1  if  n  odd,  or  <  n,  ifn  even. 

Proof  Let  /  e  ESqn  be  a  UAC  generalized  Boolean  function.  Let  H„  —  (¥„,£)  be  the 
labeled  hypercube  corresponding  to  /,  where  Y„  and  E  are  the  respective  vertex  and  edge 
sets  of  Hn.  Let  each  vertex  x  e  V„  be  labeled  with  an  output  from  7Lq.  Additionally  let 
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e\  G  V„  be  unit  vectors  with  the  ith  bit  equal  to  1  and  all  other  bits  0.  By  Definition  4.19,  in 
order  for  /  to  be  UAC,  for  all  i  —  1  to  n,  j  —  1  to  q,  and  x  G  Pr(f(x  ©  e,  —  cj)  =  l/q. 
Consequently,  not  only  must  the  number  of  edges  in  the  graph,  namely  2n~ln,  be  divisible 
by  q ,  but  the  number  of  graph  vertices  must  also  be  divisible  by  q.  A  hypercube  Hn  contains 
2n  vertices.  Hence,  the  stipulated  requirement  has  been  proven.  ■ 


4.5  Necessary  and  Sufficient  Conditions  for  a  Generalized 
Strict  Avalanche  Criterion 

Suppose  that  we  wish  to  employ  two  generalized  Boolean  function  fi  G  and  fi  G 

as  S-box  components  of  a  cryptographic  system,  as  depicted  in  Figure  4.5.  Let 
S  be  the  q\  x  qi  S-box  (two  dimensional  array)  containing  <71  rows  and  72  columns  of 
binary  vector  elements  of  length  n.  Let  x.v  G  V„  and  given  x,  let  /i(x)  and  /2(x)  be  the 
respective  row  and  column  pointers  into  S,  such  that  /i(x)  G  Zqi  and  /2(x)  G  Zqi  and 
g(x)  —  5[/'i  (x)j  [/o  (x) ]  =  y,  is  the  function  which  returns  element  y  located  in  row  /i(x) 
and  column  /2(x)  of  the  S-box. 


/2OO 


/l(x)  — 

T 

— > 

y 

S 


Figure  4.1:  S-box  using  generalized  Boolean  function  pointers 


Momentarily  considering  the  q- ary  nature  of  the  S-box  pointers,  one  realizes,  that  in  order 
for  the  S-box  in  question  to  exhibit  good  cryptographic  properties,  it  is  imperative  that  in 
addition  to  f\  and  fi  being  PSAC,  each  of  their  constituent  Boolean  functions  must  also 
be  SAC.  Regrettably,  unlike  the  situation  encountered  for  correlation  immunity,  the  fact 
that  a  generalized  Boolean  function  is  PSAC  does  not  guarantee  that  its  Boolean  function 
components  will  also  be  SAC. 

Example  4.22.  To  see  that  this  is  the  case,  consider  the  following  generalized  Boolean 
function  /  G  Sf along  with  its  constituent  Boolean  functions,  ciq  and  a\ . 
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/: 


001,1 


o 


000,0 


V3  tin  fll  / 

000  000 
001  1  0  1 
010  0  0  0 
011  0  1  2 
100  000 
101  0  0  0 
110  1  0  1 
111  0  1  2 


a 


a  i  : 


001,1 


o 


000,0 


V3  a„ 

000  0 
001  1 
010  0 
011  0 
100  0 
101  0 
110  1 
111  0 


001,0 


000,0 


V3  a\ 

000  0 
001  0 
010  0 
011  1 
100  0 
101  0 
110  0 
111  1 


By  inspection  we  see  that  4  of  the  12  edges  of  /’ s  graph  are  labeled  with  l’s.  The  proba¬ 
bility  that  two  of  neighboring  vertices  agree  with  respect  to  their  output  values  (labels)  is 
therefore  1/3,  so  /  is  PSAC.  Likewise,  6  of  ao’s  12  edges  are  labeled  with  l’s,  so  it  is  SAC. 
However,  in  the  case  of  a\,  8  of  its  12  edges  are  labeled  with  l’s  and  it  therefore  fails  to 
satisfy  the  SAC. 


Proceeding  in  the  opposite  direction  and  building  a  generalized  Boolean  function  using 
SAC  Boolean  functions  also  does  not  guarantee  that  the  generalized  Boolean  function  will 
be  PSAC.  We  again  provide  the  reader  with  an  example: 

Example  4.23.  Start  with  the  following  graphs: 
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a 


a\  : 


001,1  V3  aD 


000,0 


000  0 
001  1 
010  0 
011  0 
100  0 
101  0 
110  1 
111  0 


001,0 

v3 

a\ 

000 

0 

001 

0 

010 

1 

1 

Oil 

0 

100 

0 

101 

0 

110 

0 

000,0 

111 

1 

Of  the  12  edges  in  each  of  the  labeled  graphs  ciq  and  ci\,  6  edges  are  1 -labeled,  hence  the 
Boolean  functions  which  they  represent  are  both  SAC.  We  now  utilize  these  functions  to 
produce  the  following  generalized  Boolean  function  /(x)  =  ao(x)  +  2a\  (xj. 

/: 


001,1 


o 


000,0 


V3  tin  Oi  f 

000  000 
001  1  0  1 
010  0  1  2 
011  0  0  0 
100  000 
101  000 
110  1  0  1 
111  0  1  2 


The  graph  /  contains  2  1 -labeled  edges,  which  means  that  the  probability  of  two  neighbor 
vertices  in  the  graph  having  the  same  output  label  is  2/12  =  1/6.  Given  the  fact  that  q  =  3, 
we  conclude  that  /  does  not  satisfy  the  PSAC. 

Both  of  these  situations  are  unfortunate!  Webster  and  Tavares’  notion  of  a  strict  avalanche 
criterion  was  bom  out  of  a  desire  to  build  S-boxes  with  good  cryptographic  properties.  If 
we  hope  to  employ  generalized  Boolean  functions  as  components  of  cryptographic  algo¬ 
rithms  (quantum,  perhaps)  we  must  at  minimum  avoid  introducing  binary  decomposition 
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design  weaknesses  and  thus  must  ensure  that  the  constituent  Boolean  functions  of  a  PSAC 
generalized  Boolean  function  are  all  SAC.  From  a  practical  perspective  we  would  also 
like  to  be  able  to  build  PSAC  generalized  Boolean  functions  using  SAC  Boolean  function. 
Bearing  both  conditions  in  mind,  we  formulate  the  following  definition. 

Definition  4.24.  Let  /  G  Sdqn  be  a  generalized  Boolean  function,  such  that  for  x  G  ¥„, 
/(x)  =  iy24;(x),  cij  G  P$n-  The  function  /  is  said  to  satisfy  the  generalized  strict 
avalanche  criterion  (GSAC)  if  and  only  if  /  satisfies  the  probabilistic  strict  avalanche  cri¬ 
terion  and  all  Boolean  functions  aj,  0  <j<k-  1,  satisfy  the  strict  avalanche  criterion. 

Lemma  4.25.  Let  f  €  d$qn  be  a  generalized  Boolean  function,  such  that  x  G  ¥„  and 

k- 1 

/(x)  =  ^  2  Jaj(x),  where  aj  G  Iff  satisfies  the  uniform  avalanche  criterion,  then  for 
j= 0 

all  j,  0  <  j  <  k—  1,  aj  satisfies  the  strict  avalanche  criterion. 

Proof.  Let  /  G  USqn  be  a  UAC  generalized  Boolean  function.  Let  Hn  =  (Y„,E)  be  the 
labeled  hypercube  corresponding  to  /,  where  ¥„  and  E  are  the  respective  vertex  and  edge 
sets  of  Hn.  Let  each  vertex  x  G  ¥n  be  labeled  with  an  output  cm  G  and  let  e,-  G  ¥„  be  a 
unit  vector  with  the  ith  bit  equal  to  1  and  all  other  bits  0.  By  Definition  4.19,  in  order  for  / 
to  be  UAC,  for  all  i  —  1  to  n.  all  m  —  1  to  q,  and  every  x  G  ¥„,  Pr(/(x©e,-)  =  c„)  =  1  /q. 
Since  Hn  is  a  hypercube,  each  vertex  is  of  degree  n  =  hq,  for  some  h,  1  <  h  <  n.  Moreover, 
from  Theorem  4.21,  we  know  that  q  —  if-  for  £  <  n.  For  each  value  j,  j  =  0  to  k  —  1,  and 
each  vertex  x,  we  relabel  Hn  by  replacing  the  output  value  (label)  cm  with  the  jth  bit  of  the 
binary  expansion  of  cm,  thus  creating  a  new  labeled  hypercube  for  each  Boolean  function 
aj.  Consider  further  the  binary  expansion  of  the  set  of  q  distinct  output  values  cm  G  Zq. 
Observe  that  since  q  =  2  ,  for  each  j  this  set  will  contain  an  equal  number  of  0’s  and  l’s. 
If  this  is  not  immediately  evident,  consider  the  fact  that  each  column  j  of  ¥ /;  is  balanced. 
Since  /  is  UAC,  for  each  vertex  x  in  Hn,  each  value  q  appears  with  frequency  h  in  the 
set  of  neighbor  vertices  of  x.  Therefore,  regardless  of  what  value  h  happens  to  be  for  our 
particular  generalized  Boolean  function  /,  for  each  Boolean  function,  aj,  each  vertex  x  in 
aj  will  have  2'  1  neighbor  vertices  with  0  labels  and  2'  1  neighbor  vertices  with  1  labels. 
Hence  aj  satisfies  the  uniform  avalanche  criterion  and  thus  is  also  SAC.  ■ 

Lemma  4.26.  Let  B  =  (ao,  «i ,  •  ••  ,  a*—t }  be  a  set  ofk  Boolean  functions  each  in  n  variables. 
If  each  Boolean  function  satisfies  the  uniform  avalanche  criterion  (UAC)  and  for  all  j  and 
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h,  where  0  <  j.h.  <  k  —  \  and  j  f  h,  the  pairwise  Hamming  distance  d(aj,ah)  =  2n~\ 
then  the  generalized  Boolean  function  f  G  c3  33%  constructed  using  B  such  that  /(x)  = 
Y,kj=!)  2Ja  j(x),  will  be  such  that  it  also  satisfies  the  uniform  avalanche  criterion. 


Proof  Let  B  =  (ao,  © ,  •  •  •  ,  %_i }  be  a  set  of  k  UAC  Boolean  functions  each  in  n  variables. 
For  all  j  and  h,  where  0  <  j,h,<  k  —  1  and  j  f  h.  let  each  function  be  such  that  their 
pairwise  Hamming  distances  satisfy  d(aj:ajr)  —  2n~l .  Let  /  G  ^38q  be  the  generalized 
Boolean  function  constructed  using  B  such  that  /(x)  =  YjjZ^ajix).  For  i  —  1  to  n,  let, 
14  =  { x  ®  e,  :  x  G  ¥„},  be  the  set  of  vectors  of  Hamming  distance  1  from  x,  and  denote 
Cx  =  f{Vx)  as  the  set  of  output  values  associated  with  14.  Consider  now  the  q  distinct 
output  values  cm  G  Z9,  m  =  1  to  q.  Indexing  from  j  =  0  to  k—  1,  let  ( c;„7 ) 2  ( ./ )  represent  the 
jth  bit  of  the  binary  expansion  of  cm.  Each  Boolean  function  is  UAC ,  therefore  for  all  i  =  1 
to  n,  all  m  =  1  to  q,  every  position  j,  and  all  fixed  x's,  Pr(cij(x(Bej)  —  (c,„)2(j))  =  1/2.  In 
other  words,  the  number  of  0 's  and  1 1  s  are  equal  for  each  index  j,  of  the  set  of  vectors  Cx. 
Moreover,  since  the  pairwise  Hamming  distance  between  all  distinct  Boolean  functions  is 
2"~  1 ,  it  means  that  the  q  output  values  of  Cx  will  all  be  distinct  elements  of  V^.  Thus,  it 
must  be  the  case  that  for  all  x  G  V„,  Pr(f(x  ©  ef  —  cm)  —  l/q  proving  that  /  is  UAC.  ■ 

Theorem  4.27.  A  generalized  Boolean  function  f  G  & 38%  /(x)  =  Y.kj=l)2q aj{x),  where 
x  G  V„  and  aj  G  38„,  is  GSAC  if  f  and  all  functions  aj  are  UAC  and  for  all  0  <  j ,  h  <  k  —  1, 
such  that  j  ^  h,  the  pairwise  Hamming  distance  d{aj.  af)  =  2n~l. 


Proof.  According  to  Definition  4.24,  a  generalized  Boolean  function  /  G  (,3 33%  where 
f(x)  =  L^Vafix),  satisfies  the  generalized  strict  avalanche  criterion  if  and  only  if  / 
satisfies  the  probabilistic  strict  avalanche  criterion  and  all  Boolean  functions  a/,  j  —  0  to 
k—  1,  satisfy  the  strict  avalanche  criterion. 

(=*)  Let  /  G  c$ 33qn  be  a  UAC  generalized  Boolean  function  such  that  x  e  V„,  fix)  - 
Y*k/=(}  2Jaj(x),  and  aj  G  33 n.  Then  according  to  Lemma  4.25,  all  Boolean  functions  aj 
are  SAC. 

(4=)  Let  B  =  (ao,  a\,  ■  ■  ■  ,  a^-t}  be  a  set  of  k  Boolean  functions,  each  in  n  variables  and  each 
of  which  also  satisfy  the  uniform  avalanche  criterion.  For  all  j  and  h,  where  0<j,h,<k-l 
and  j  h,  let  the  pairwise  Hamming  distance  rf(ay,a/j)  =  2'1_1.  Suppose  /  G  33%  is  a 
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generalized  Boolean  function  constructed  using  B  such  that  /(x)  =  TJj=o^aj(x).  Then 
according  to  Lemma  4.26,  /  satisfies  the  uniform  avalanche  criterion.  ■ 


Examples  of  GSAC  generalized  Boolean  functions  abound.  The  UAC  generalized  Boolean 
function  /  e  ^ which  we  presented  in  Example  4.20  satisfied  the  generalized  strict 
avalanche  criterion.  Below  we  provide  yet  another  example  of  a  generalized  Boolean 
function  /  e  <£ which  satisfies  the  generalized  strict  avalanche  criterion.  In  this  case 
however,  the  function  fails  to  satisfy  the  UAC. 

/: 


001,0 


1 


000,0 


V3  tin  g\  f 

000  000 
001  0  0  0 
010  0  1  2 
011  1  0  1 
100  000 
101  0  1  2 

110  1  1  3 

111  0  1  2 


Observe  that  3  of  the  12  edges  in  the  graph  /  are  1 -labeled.  The  probability  that  any  two 
neighbor  vertices  in  the  graph  have  the  same  output  value  (label)  is  therefore  1/4  and  the 
function  is  PSAC. 

Cl0  .  Cl\  . 


001,0  V3  aD 


000,0 


000  0 
001  0 
010  0 
011  1 
100  0 
101  0 
110  1 
111  0 


001,0  V3  fli 


000,0 


000  0 
001  0 
010  1 
011  0 
100  0 
101  1 
110  1 
111  1 


95 


In  ciq  and  a i,  6  of  the  12  graph  edges  in  each  respective  graph  are  1 -labeled.  Thus,  the 
probability  that  any  two  neighbor  vertices  in  either  graph  having  the  same  output  value 
(label)  is  therefore  1/2  and  both  functions  are  therefore  SAC. 


4.6  The  Connection  between  the  Uniform  Avalanche  Cri¬ 
terion  and  Correlation  Immunity 

In  Example  4.20  we  hinted  that  a  connection  existed  between  a  function  satisfying  the 
uniform  avalanche  criterion  and  the  fact  that  it  was  correlation  immune  (order  1).  We  now 
prove  this  result. 

Theorem  4.28.  Generalized  Boolean  functions  f  G  which  satisfy  the  uniform 

avalanche  criterion  are  l-resilient  (balanced  and  correlation  immune  of  order  1). 

Proof  We  proceed  by  way  of  contradiction.  Let  /  G  SSqn  be  a  generalized  Boolean  func¬ 
tion  which  satisfies  the  uniform  avalanche  criterion.  Partition  the  set  of  input  vectors  V„ 
into  q  sets  Xj,  where  0<j<q-l,  such  that  for  all  x  G  Xj,  /(x)  =  j.  Without  loss  of 
generality  consider  one  of  these  sets  Xj,  say  for  instance  Xy.  Suppose  that  there  exists  at 
least  one  index  k,  1  <  k  <  n  for  which  the  set  of  vectors  Xq,  contain  an  uneven  number 
of  0’s  and  l’s.  Let  el  denote  a  unit  vector  with  the  ith  bit  equal  to  1  and  all  other  bits  0. 
The  function  /  is  UAC,  so  for  the  set  of  unit  vectors,  where  i  —  1  to  n  and  each  x  G  Xo, 
the  vectors,  x©e,-,  each  reside  in  one  of  the  q  different  sets  Xj.  Therefore  any  imbalance 
with  respect  to  the  number  of  0’s  and  l’s  in  column  k  for  the  vectors  of  Xo  must  also  result 
in  a  0- 1  imbalance  in  column  k  of  the  vectors  contained  in  each  of  the  q  —  1  remaining 
sets  Xj,  where  j  f  0.  Assume  that  there  is  a  difference  of  d  more  0’s  than  l’s  in  column 
k  of  X().  Since  /  is  UAC,  the  total  disparity  of  0’s  and  l’s  for  all  vectors  in  the  remaining 
sets  Xj,  1  <  j  <  q  —  1  is  d(n  —  1).  However,  the  union  uJ~q Xj  =  V„.  Since  the  number 
of  0’s  and  l’s  is  balanced  for  each  column  i,  i  =  1  to  n  this  cannot  occur.  We  therefore 
conclude  that  for  all  indices  i  —  \  to  n  and  each  set  Xj,  j  =  0  to  q  —  1,  there  must  be  an 
equal  number  of  0’s  and  l’s.  This  in  turn  means  that  for  all  j  G  TLq  and  every  i  from  1  to  n, 
Pr(xi  —  1  |/(x)  =  j)  —  1/2,  which  implies  that  /  is  C/(  1).  Moreover,  /  is  UAC,  so  for  each 
x,  and  each  cm  G  Zq,  Pr(/(x©e,)  =  cm)  —  \/q.  Thus  each  output  value  cm  occurs  with 
equal  frequency  across  all  x  G  Vn  and  /  is  therefore  balanced.  ■ 
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Remark  4.29.  Theorem  4.28  is  important.  It  not  only  tells  us  that  a  UAC  generalized 
Boolean  function  is  also  C/(  1),  but  given  Theorems  3.38  and  4.25,  also  says  that  the  con¬ 
stituent  Boolean  function  from  which  /  was  built  are  all  C/(  1)  and  SAC,  thus  rendering 
/  resistant  to  the  binary  decomposition  attacks,  which  we  previously  considered.  No¬ 
tice,  however,  that  although  all  generalized  Boolean  functions  which  satisfy  the  uniform 
avalanche  criterion  are  correlation  immune  (order  1),  not  all  order- 1  correlation  immune 
generalized  Boolean  functions  are  UAC,  or  even  PSAC,  for  that  matter. 


Example  4.30.  To  see  that  this  is  the  case,  consider  the  (order  1)  correlation  immune  gener¬ 
alized  Boolean  function  /  €  ^ in  Table  4.6  along  with  its  associated  labeled  hypercube. 


Table  4.6:  A  non  — UAC  CI(  1)  generalized  Boolean  function  /  G  <£ 


V4 

/ 

0000 

0 

0001 

3 

0010 

2 

0011 

1 

0100 

1 

0101 

2 

0110 

3 

0111 

0 

1000 

1 

1001 

2 

1010 

3 

1011 

0 

1100 

0 

1101 

3 

1110 

2 

mi 

1 
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Using  symmetry  as  our  aid,  we  clearly  see  that  /  is  a  C/(  1)  generalized  Boolean  function. 
However,  in  this  extreme  case,  none  of  the  32  edges  in  the  corresponding  graph  are  1- 
labeled.  Thus  /  not  only  fails  to  satisfy  the  UAC ,  but  also  fails  to  be  PSAC. 

Using  two  UAC  compliant  generalized  Boolean  functions  in  n  variables  along  with  Al¬ 
gorithm  7  and  the  Siegenthaler  construction  allows  us  to  construct  a  generalized  Boolean 
functions  in  n  +  1  variables  which  is  both  PSAC  and  1 -resilient. 

Example  4.31.  Using  the  two  UAC  generalized  Boolean  functions  in  Tables  4.7  and  4.8 
along  with  Algorithm  7  and  the  Siegenthaler  construction  we  construct  the  PSAC  and  1- 
resilient  function  depicted  in  Table  4.9  and  Figure  4.2. 
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Table  4.7:  UAC  function  /i  G  <3 Table  4.8:  UAC  function  /?  G  SfJ? 


Table  4.9:  A  PSAC  and  1-resilient  generalized  Boolean  function  /1H/2  =f€&&: 5 


V4 

«0 

Cl] 

ao0ai 

/ 

00000 

0 

0 

0 

0 

00001 

0 

1 

1 

2 

00010 

1 

0 

1 

1 

00011 

1 

1 

0 

3 

00100 

1 

1 

0 

3 

00101 

1 

0 

1 

1 

00110 

0 

1 

1 

2 

00111 

0 

0 

0 

0 

01000 

0 

0 

0 

0 

01001 

0 

1 

1 

2 

01010 

1 

0 

1 

1 

01011 

1 

1 

0 

3 

01100 

1 

1 

0 

3 

01101 

1 

0 

1 

1 

01110 

0 

1 

1 

2 

01111 

0 

0 

0 

0 

10000 

0 

0 

0 

0 

10001 

1 

1 

0 

3 

10010 

0 

1 

1 

2 

10011 

1 

0 

1 

1 

10100 

1 

0 

1 

1 

10101 

0 

1 

1 

2 

10110 

1 

1 

0 

3 

10111 

0 

0 

0 

0 

11000 

0 

0 

0 

0 

11001 

1 

1 

0 

3 

11010 

0 

1 

1 

2 

11011 

1 

0 

1 

1 

11100 

1 

0 

1 

1 

11101 

0 

1 

1 

2 

11110 

1 

1 

0 

3 

11111 

0 

0 

0 

0 

1011 -»1 


101 1  -» 3 


Figure  4.2:  Labeled  hypercube  corresponding  to  the  generalized  Boolean  function  in  Table  4.9 
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4.7  Linear  Structures  and  the  Globally  Uniform  Gradient 

The  preceding  discourse  on  strict  avalanche  criteria  prompted  us  to  examine  the  behavior 
of  a  generalized  function,  first  across  the  entire  set  of  input  vectors,  and  later  for  each 
individual  input  vector.  By  proceeding  from  the  "global"  to  "local"  point  of  view,  and  along 
the  way  modifying  requirements  so  as  to  ensure  that  output  value  probabilities  remained 
balanced,  we  were  able  to  devise  increasingly  well-behaved  functions.  The  pinnacle  of  our 
analysis  thus  far  has  been  the  set  of  functions  which  satisfy  the  uniform  strict  avalanche 
criterion.  These  functions  are  both  1 -resilient  and  satisfy  the  generalized  strict  avalanche 
criterion.  However,  more  remains  to  be  done. 

Recall  from  Definition  2.16  that,  given  a  generalized  Boolean  function  /  G  ^ a  vector 
a  G  V„  is  called  a  linear  structure  if  there  exists  c  G  Z9  such  that,  for  all  x  G  ¥„,  /(x©  a)  — 

/(x)  =c. 

Consider  once  again  the  function  f\  from  Example  4.31.  We  partition  the  input  vectors  Xj, 
j  —  0  to  3,  such  that  \J3j=0Xj  —  V4  and  for  all  x  G  Xj,  f\ (x)  =  j,  where  j  G  Z4: 


Xo 

Xi 

z2 

Xi 

0000 

0010 

0001 

0011 

1000 

1010 

1001 

1011 

0111 

0101 

0110 

0100 

1111 

1101 

1110 

1100 

Let  <?4  =  1000  and  observe  that  for  each  set  Xj  and  for  all  x  G  Xj,  /i(x)  =  f\  (x  ©  64). 
Thus,  £4  is  a  linear  structure  and  the  output  invariance  for  /  is  skewed  in  the  direction  of 
64.  From  a  cryptographer’s  standpoint  this  is  undesirable!  The  weakness  in  f\  stems  from 
the  way  it  was  constructed.  Concatenating  two  identical  copies  of  a  generalized  Boolean 
function  g  G  (Xf  will  always  introduce  the  linear  structure  e„  into  the  newly  constructed 
function.  While  the  ease  of  such  a  construction  may  be  tempting,  it,  like  so  many  things  in 
cryptography,  comes  with  trade-offs.  Consider  on  the  other  hand  the  generalized  Boolean 
function  in  Table  4.10,  which  also  happens  to  satisfy  the  UAC. 
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Table  4.10:  A  UAC  function  /  E  without  <?,■  as  a  linear  structure 


V4 

ao 

a\ 

ao®  a\ 

/ 

0000 

1 

0 

1 

1 

0001 

1 

0 

1 

1 

0010 

1 

1 

0 

3 

0011 

0 

1 

1 

2 

0100 

0 

0 

0 

0 

0101 

1 

1 

0 

3 

0110 

0 

0 

0 

0 

0111 

0 

1 

1 

2 

1000 

0 

1 

1 

2 

1001 

0 

0 

0 

0 

1010 

1 

1 

0 

3 

1011 

0 

0 

0 

0 

1100 

0 

1 

1 

2 

1101 

1 

1 

0 

3 

1110 

1 

0 

1 

1 

1111 

1 

0 

1 

1 

Indexing  from  right  to  left  and  i  =  1  to  n,  let  c,  be  the  unit  vector  with  1  in  ith  position 
and  0  everywhere  else.  Once  again,  we  partition  the  input  vectors  Xj,  j  —  0  to  3,  such  that 
U^=0Xj  =  V4  and  for  all  x  e  Xj,  /(x)  =  j,  where  j  E  Z4. 


Xo 

Xi 

X2 

*3 

0100 

0000 

0011 

0010 

0110 

0001 

0111 

1010 

1001 

1110 

1000 

0101 

1011 

1111 

1100 

1101 

Using  this  partition,  we  subsequently  consider  which  unit  vectors  result  in  invariance 
among  the  output  values  for  /.  Doing  so  we  discover  the  following: 
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•  For  all  w  G  Xo,  /( w)  =  /(w  ©  ef) 

•  For  all  xeli,  /(x)  =  /(x©  ei) 

•  For  ally  eX2,f(y)  =/(y©e3) 

•  For  all  z  G  X3,  /(z)  =  f(z@ef). 

This  situation  is  much  improved!  Now  each  unit  vector  is  associated  with  one  of  the  4  sets 
of  the  partition. 

A  considerable  amount  of  effort  has  thus  far  gone  into  designing  generalized  Boolean  func¬ 
tions  /  G  such  that,  for  each  x  G  V„  and  all  i  from  1  to  n,  the  function  ensures  that 
for  the  set  of  all  Hamming  distance  1  vectors,  /  achieves  all  output  values  in  Zq  with  equal 
probability.  It  therefore  only  seems  natural  that  we  also  ensure  that  for  each  x  G  V„,  the 
probability  Pr(f(x)  =  /(xffie,-))  is  equal  for  each  of  the  n  unit  vectors  in  /. 

Definition  4.32.  Let  /  G  SSqn  be  a  generalized  Boolean  function  which  satisfies  the  uni¬ 
form  avalanche  criterion  and  let  e\  denote  a  unit  vector  with  the  ith  bit  equal  to  1  and  all 
other  bits  0.  The  function  /  is  said  to  possess  a  globally  uniform  gradient  if  for  each  c,-, 
1  <  i  <  n, 

Pr{Dejf(x)  =  0)  =  -, 
n 

where  Dejf(x)  —  f(x  ©  <?/)  —  /(x),  is  the  derivative  of  /  with  respect  to  the  unit  vector  <?,. 
Generalized  Boolean  functions  which  satisfy  the  UAC  and  have  a  globally  uniform  unit 
vector  gradient  are  referred  to  as  Cataract  functions. 

Definition  4.33.  Let  /  G  SSqn  be  a  generalized  Boolean  function  and  let  <?,  denote  a  unit 
vector  with  the  ith  bit  equal  to  1  and  all  other  bits  0.  Then  for  all  x  G  V„  and  i  =  1  to  n,  we 
define  the  gradient  of  /,  denoted  V/e;(x),  as  follows: 

V/e,(x)  =  (. Deif(x),De2f(x),...,Denf(x )), 

where  Dejf(x)  is  the  derivative  of  /  with  respect  to  the  unit  vector  <?,. 

Theorem  4.34.  Let  f  G  ^qn  be  a  generalized  Boolean  function  which  satisfies  the  uniform 
avalanche  criterion.  Let  x  G  V„  and  denote  c,  as  a  unit  vector  with  the  ith  bit  equal  to  1 
and  all  other  bits  0.  Then  {V/e;(V„)}  —  Zq,  Vi  1  <  i  <n. 
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Proof.  Let  /  e  (Y  PSqn  be  a  generalized  Boolean  function  which  satisfies  the  uniform 
avalanche  criterion.  Since  /  is  UAC,  for  i  =  1  to  n,  /(x©e,-)  when  x  runs  through  Vn,  must 
achieve  all  values  of  Zq  (with  equal  frequency).  Subtraction  in  the  derivative,  Dejf(x),  is 
carried  modulo  q,  thus,  for  each  distinct  i,  f(x  ©  ef)  —  /(x)  is  a  unique  element  of  Zq.  ■ 


Theorem  4.35.  Let  f  €  be  a  generalized  Boolean  function.  Let  x  e  Yn  and  denote 
et  as  a  unit  vector  with  the  ith  bit  equal  to  1  and  all  other  bits  0.  If  f  satisfies  the  uni¬ 
form  avalanche  criterion  and  has  a  globally  uniform  gradient,  then  for  all  x  G  Yn,  and  for 
specific  i,  the  set  {Dejf(x)}  contains  all  elements  of  Zq  in  balanced  proportions  (in  other 
words,  it  is  a  permutation  of  the  truth  table  off). 


Proof.  Let  /  e  (Y  CSqn  be  a  generalized  Boolean  function  which  satisfies  the  uniform 
avalanche  criterion  and  which  has  a  globally  uniform  gradient.  The  function  /  has  a  glob¬ 
ally  uniform  gradient,  thus  according  to  Definition  4.32,  for  each  specific  i  and  unit  vector 
ej,  there  are  2 n/n  vectors  x  e  ¥„  for  which  Deif(x)  =  0.  However,  /  is  also  UAC,  so  ac¬ 
cording  to  Theorem  4.34,  for  each  x  and  all  i  from  1  to  n,  (V/e.(x)}  =  Zq.  Thus,  in  order 
for  both  conditions  to  hold,  it  must  be  the  case  that  for  each  specific  unit  vector,  <?,.  and  the 
set  of  all  vectors  V„,  each  value  Dejf(x)  e  Zq  occurs  with  frequency  a  divisor  of  2n.  ■ 


We  can  use  Theorem  4.35  to  evaluate  whether  or  not  a  generalized  Boolean  function  that 
satisfies  the  uniform  avalanche  criterion  also  has  a  globally  uniform  gradient.  We  demon¬ 
strate  the  approach  using  the  following  example. 


Example  4.36.  Suppose  we  would  like  to  check  whether  of  not  the  functions  f\  and  /? 
from  our  previous  example  each  satisfy  the  uniform  avalanche  criterion  and  have  globally 
uniform  gradients.  Using  their  truth  tables,  we  compute  their  respective  gradients  for  all 
vectors  x  e  Yn.  The  results  from  these  calculations  are  displayed  in  Table  4.11. 
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Table  4.11:  Gradients  for  two  UAC  generalized  Boolean  functions  f\  and  /2 


V4 

h 

h 

V/ie;(x) 

V/2e,.(x) 

0000 

0 

1 

(2, 1,3,0) 

(0,2,3, 1) 

0001 

2 

1 

(2, 1,3,0) 

(0, 1,2,3) 

0010 

1 

3 

(2,3, 1,0) 

(3,2, 1,0) 

0011 

3 

2 

(2,3, 1,0) 

(1,3, 0,2) 

0100 

3 

0 

(2,3, 1,0) 

(3,0, 1,2) 

0101 

1 

3 

(2,3, 1,0) 

(1,3, 2,0) 

0110 

2 

0 

(2, 1,3,0) 

(2,0,3, 1) 

0111 

0 

2 

(2, 1,3,0) 

(2, 1,0,3) 

1000 

0 

2 

(2, 1,3,0) 

(2, 1,0,3) 

1001 

2 

0 

(2, 1,3,0) 

(2,0,3, 1) 

1010 

1 

3 

(2,3, 1,0) 

(1,3, 2,0) 

1011 

3 

0 

(2,3, 1,0) 

(3,0, 1,2) 

1100 

3 

2 

(2,3, 1,0) 

(1,3, 0,2) 

1101 

1 

3 

(2,3, 1,0) 

(3,2, 1,0) 

1110 

2 

1 

(2, 1,3,0) 

(0, 1,2,3) 

mi 

0 

1 

(2, 1,3,0) 

(0,2,3, 1) 

Examining  the  rows  of  the  table,  for  each  vector  x,  we  observe  that  the  gradients  for  both 
functions  contain  all  values  T,q.  Turning  our  attention  to  the  columns  of  each  respective 
set  of  gradients,  we  moreover  observe  the  following:  For  each  column  i  from  1  to  n.  the 
gradient  values  associated  with  e,  for  f\  are  not  balanced.  For  example,  the  values  in  the 
first  column  (associated  with  ei),  are  all  2.  This  however  is  not  the  case  for  /2.  Here  we 
see  that  for  each  column,  i,  the  ^-associated  derivatives  in  the  set  of  gradients,  all  appear 
with  equal  frequency.  We  therefore  conclude  that  f\  does  not  posses  a  uniform  gradient, 
whereas  fi  does. 
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CHAPTER  5: 

Generalized  Bent  Boolean  Functions 


Mathematics  compares  the  most 
diverse  phenomena  and  discovers  the 
secret  analogies  that  unite  them. 

Joseph  Fourier 


This  chapter  includes  results  on  generalized  bent  Boolean  functions  from  the  following 
papers:  Bent  and  generalized  bent  Boolean  functions  [44],  Generalized  bent  functions  and 
their  Gray  images  [28],  as  well  as  Partial  spread  and  vectorial  generalized  bent  functions 
[29].  The  dissertation  author  is  a  coauthor  on  these  papers.  The  discourse  along  with  all 
results  appear  in  the  original  form  in  which  they  were  published  in  the  cited  works. 


5.1  Introduction 

The  culmination  of  our  investigation  into  avalanche  features  for  generalized  Boolean  func¬ 
tions  was  the  development  of  what  we  referred  to  as  cataract  functions.  These  functions 
are  UAC,  free  of  unit  vector  linear  structures,  and  contain  a  global  uniform  gradient.  In  this 
section  we  expand  upon  the  idea  of  removing  linear  structures  from  a  generalized  Boolean 
function.  Meier  and  Staffelbach  [30]  investigated  a  class  of  Boolean  functions  which  they 
called  perfectly  nonlinear.  We  extend  here  their  notion  of  perfect  nonlinear  Boolean  func¬ 
tions  so  that  it  applies  to  generalized  Boolean  functions. 

Definition  5.1.  A  generalized  Boolean  function  /:¥„—)■  7Lq  is  called  perfect  nonlinear 
with  respect  to  linear  structures  (perfect  nonlinear  for  short)  if  for  every  0  <j<  q—l,  and 
every  nonzero  vector  a  e  the  equation  Da/(x)  =  /(x©a)  — /(x)  =  j  has  exactly  2 n/q 
solutions  x  G  V„  (in  other  words,  the  derivatives  of  /  at  every  point  a  are  balanced). 

Remark  5.2.  Notice  that  based  on  the  above  definition,  in  order  for  a  generalized  Boolean 
function  /  e  Sf  to  be  perfect  nonlinear,  q  must  be  such  that  q  —  21,  where  1  <  £  <  n  —  1 . 
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In  their  cited  paper,  Meier  and  Staffelbach  demonstrated  that  the  class  of  perfect  nonlinear 
and  bent  Boolean  functions  coincide. 

Generalized  bent  Boolean  function  is  an  active  area  research.  A  plethora  of  papers  have 
been  written  on  the  topic  (see  [28],  [29],  [44]  and  the  references  therein).  We  present  here  a 
few  results  contained  in  the  above  cited  papers  which  were  coauthored  by  this  dissertation 
author. 


5.2  Generalized  Bent  Boolean  Functions 

The  material  presented  in  this  section  was  taken  directly  from  the  paper  Bent  and  general¬ 
ized  bent  Boolean  functions  [44]  and  appears  in  its  original  published  form. 

Recall  from  Chapter  2  that  the  generalized  Walsh-Hadamard  transform  of  /  G  S3qn  at  any 
point  u  G  V„  is  the  complex  valued  function 

M’fi u)=2“2  £  C/W(-l)u'x- 

xeV„ 


Definition  5.3.  [44]  A  function  /  €  is  a  generalized  bent  ( gbent )  func¬ 
tion  if  |j£y(u)|  =  1  for  all  u  G  V„.  When  q  =  2,  then  /  is  bent  (these  exist  for 
n  even,  only).  If  n  is  odd,  a  function  /  G  SSn  is  said  to  be  semibent  if  and  only 
if  \Wf(n)  |  G  (0,  V2},  for  all  u  G  V„. 

Suppose  /  G  SSqn  is  a  gbent  function  such  that  for  every  u,  we  have  — 

for  some  0  <  ku  <  q.  Then,  for  such  a  gbent  function  /,  there  is  a  function 
F  :  V„  — >  Z q  such  that  =  M’f.  We  call  such  a  function  F  the  dual  of  /.  The 
reader  is  cautioned  that  only  some  gbent  functions  admit  duals.  By  applying 
Theorem  5.4,  one  can  easily  see  that  the  dual  of  a  gbent  function  is  also  gbent, 
since  the  Walsh-Hadamard  transform  of  the  dual  F  is  Jff(u)  =  C^!u|  [44]. 

The  following  properties  of  the  Walsh-Hadamard  transform  on  generalized 
Boolean  functions  are  similar  to  the  Boolean  function  case  [44]. 
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Theorem  5.4.  [44] 

(z)  Let  f  G  CS  Sdqn.  The  inverse  of  the  Walsh-Hadamard  transform  is  given  by 

C/(y)=2-2  £  Jf/-(u)(-l)u'y. 

ue¥„ 

Further,  rd'j\g  ( u )  =  <togj{vt),  for  all  u  G  V„,  which  implies  that  ^/(u)  z's 
always  real. 

(«)  Zf/.«  - 

ue¥„ 

^/, *?(»)  =  E  ^/(X)^(x)(-l)u-x. 

xe¥„ 

(hi)  Taking  the  particular  case  f  —  g  we  obtain 


*/(»)=  £  |^Kx)|2(-i)”* 

xe¥„ 

(zv)  If  f  G  f/zen  /  Z5  cz  gbent  function  if  and  only  if 


(5.1) 


^/(u)  = 


2"  z/u  =  0, 


0  z/u  ^  0. 

(v)  Moreover,  the  (generalized)  Parseval’s  identity  holds 


£  \Jiff(x)\2  =  2" 

xe¥„ 


(5.2) 


Let  £  =  e27r!/‘?  be  the  ^-primitive  root  of  unity,  and  /:¥„—)■  Zg  as  in  (2.1).  It 
turns  out  that  the  generalized  Walsh-Hadamard  spectrum  of  /  can  be  described 
(albeit,  in  a  complicated  manner)  in  terms  of  the  Walsh-Hadamard  spectrum 
of  its  Boolean  components  a,  [44]. 
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Theorem  5.5.  [44]  The  Walsh-Hadamard  transform  of  f  :  V/7  — >  7Lq,  2h  1  < 
q  <  2h,  where  /(x)  =  L/?=o  a<(x) G  «  given  by 

•*/(")  =  2-‘  I  CE*'2'  E  (-i)|y|ww«,w(«)- 

7C{0,...,/«-l}  JQI,KCI 


Proof  For  brevity,  we  use  the  notations  Q  :=  .  It  is  easy  to  see  that,  for 

s  e  Z2,  we  have 


z 


5 


i+(-ir , 

- ^ - 1 - - - z. 


(5.3) 


and  so,  we  have  the  identities  _  1  ^ .  +A'£i),  where  A,-  =  1  +  (— l)aKx), 
A^  =  1  —  (— l)fl'(x),  and  the  complement  /:=  {0, 1, —  1}  \7,  for  some  sub¬ 
set  /  of  {0, 1, 1}.  The  Walsh-Hadamard  coefficients  of  /  are 


2n/2jff(u)  =  £C/(x)(-i)u'x  =  £cEt°la!'(x)2i(-i)u'x 


E(-D«n  (?2,A“,W 

X  1=0  V 


/l —  I 


1=0 


Ei-1)”  n  *  11 + + (i  -  ( 1 


=  2-‘E(-i r*  E  II 

x  /c{0,...,A-i}ie/,ye7 

=  2-^(-i)u-x  £  ce^2'  n  ^ 

x  /C{0,...,/J-1}  iet.jef 

=  2_/!£(-1)u'x  £  £lfe/2'  £  [_l)l-/l[_l)L;6y«;(x)©IteA:aA-(x) 


7C{0,.. .,/«-!} 


-  2" 


-/l 


^  £  (— l)l7l£(— 1)U'X(  — l)^€AJJs:aAx), 


/CIO,...,/;-!} 


JC1,KCI 


and  so,  we  obtain  our  result. 


5.3  Construction  of  Generalized  Bent  Functions  in  ^ 

The  material  presented  in  this  section  was  taken  directly  from  the  paper  Bent  and  general¬ 
ized  bent  Boolean  functions  [44]  and  appears  in  its  original  published  form. 
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Theorem  5.6.  [44]  If  f  :Vn+2  ^  (n  even)  is  given  by 


/(x,y, z )  =  4c(x)  +  (4a(x)  +  2 c(x)  +  l)y  +  (4 b(x)  +  2 c(x)  +  1  )z-  2 yz, 
where  a,b,c  G  SSn  such  that  all  a,  b,c,  a®c,  b®c  and  a®b  are  bent  satisfying 
Wa(x)Wb(x)  +  HW(x)Wfe©c(x)  -  -2Waeb(x)Wc(x)),  for  all  x  e  V„,  (5.4) 
then  f  is  gbent  in  ^^+2. 


Proof  We  compute  the  Walsh-Hadamard  coefficients  (using  that  £  =  ^(1  + 
i)  and  £2  =  i) 

2(M+2)/2^(u,V,w)  =  £  ^/(x,y,z)  (  —  j^u-x©yyffiw’z 

(x,y,z)e¥,!+2 

_  £  ^4c(x) ^ _ X)u'x  £  ^(4«(x)+2c(x)+l)y+(4fc(x)+2c(x)+l)z— 2yz^_ j^yyffiwz 


xe¥„ 


(y,z)eV2 


£  (_1)C(X)®U-X  A  +  —  i)V( — 1^a(X)jC(x)^'  _|_  (_1)w(_1)fc(x)Ic(x)^ 

_l_  /  j  ^a(x)ffi£(x)fflc(x)fflvfflw 


xe¥, 


/  \  i  i/_i  \c(x) 

Applying  equation  (5.3)  with  (z,s)  =  (i,c(x)),  that  is,  icW  =  — Ap - h 

1~(-~21->  (  ) i,  we  obtain 


(— l)vC 

2J^(u,v,w)  =  Wc{ u)  +  (Wfl©c(u)  +Wa(u)  +  iWo©c(u)  -iWa(u)) 

I  )»T 

(W,ffic(u)  +  Wb(u)  +  iWmc(u)  -iWb(u))  +  (-l)vffiwW^(u) 

-  Wc(u)  +  t^-(Wa(u)  +  iWaeec(u)) 

r_iw 

+  ^-¥=-  ( Wfc  (u)  +  iWboe  (u)  )  +  (— l)v0wWra0^(u). 


Ill 


Therefore,  the  real  and  the  imaginary  parts  of  J#f(u,v,w)  are 


Re(J#f(u,v,  w)) 


Wc(u)  +  (  — l)vffiwWra®2,(u)  + 


(-i)\(o)+(-im(u) 


V2 


(  — l)vWra©c(u)  +  (—l)wWbQC(u) 

V2 


and  so, 

4|j^(u,V,w)|2  =  ^  (iTa(u)2  +  Wfc(u)2  +  Wa©c(u)2  +  Wft©c(u)2  +  2Wc(u)2  +2Wa©i,(u)2) 

+  {-l)v+w(Wa(u)Wb(u)  +  Wa©c(u)WW(u)  +  2fTc(u)tTaei)(u)) 

+  V2((-l)'XWa(u)W(.(u)+W,,(u)Waefe(u))  +  (-ir(^(u)Wc(u)  +  Wfl(u)Wfl©fe(u))) 

(5.5) 


Since  a,b,c,a  ©  c,b  ©  c,a  ®  b  are  all  bent  then  |VFfl(u)|  =  |W^(u)|  = 
|Wrc(u)|  =  |VK*e*(u)|  =  |WaQc(u)|  =  \Wbec(u)\  =  1.  Further,  from  the 
imposed  conditions  on  these  functions’  Walsh-Hadamard  coefficients,  we 
see  that  Wa(u)Wh(u)  +  Wra©c(u)W'/,©c(u)  +  2Wc(u)Wraffifc(u)  =  0,  and  also 
Wa(u)Wc(u)+Wh(u)Waeb(u)  =  0,  Wb(u)Wc(u)  +  Wa{u)Wa@b(u)  =  0  (that  is 
because  if  Wa( u)  and  VT/,(u)  have  the  same  sign,  then  Wc(u) .  Waeb  have  op¬ 
posite  signs;  further,  VTa(u)  and  Wb( u)  have  opposite  signs,  then  Wc(vl)  ,WaQb 
have  the  same  sign).  Using  these  equations,  we  get  that  4\J#f(u,  v,w)|2  =  4, 
and  so,  /  is  gbent  [44]. 


5.4  Necessary  Conditions  for  Generalized  Bent  Functions 

The  material  presented  in  this  section  was  taken  directly  from  the  paper  Generalized  bent 
functions  and  their  Gray  images  [28]  and  appears  in  its  original  published  form. 


Theorem  5.7.  [28]  All  gbent  functions  f  G  £%n  are  regular,  except  for  n 
odd  and  k  =  2,  in  which  case  we  have  =  2^~  (±1  ±  i). 
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From  the  definition  of  a  Boolean  bent  function  via  the  Walsh-Hadamard  trans¬ 
form  we  immediately  obtain  the  following  equivalent  definition,  where  we  de¬ 
note  the  support  of  a  Boolean  function  /  by  supp (/)  :=  {x  G  ¥„  :  /(x)  =  1}: 
A  Boolean  function  /  :  ¥„  — »  F2  is  bent  if  and  only  if  for  every  u  G  ¥„  the 
function  /u(x)  :=  /(x)  ©  u  ■  x  satisfies  |supp(/u)  |  =  2'1”1  ±  2"/2.  Our  next  tar¬ 
get  is  to  show  an  analog  description  for  gbent  functions.  We  use  the  following 
lemma  [28]. 

Lemma  5.8.  [28]  Let  q  =  2k,  k  >  1,  £  =  e27ldq.  If  Pi  &Q,  0  < l <  q  —  1  and 
E/Lo  Pi  ^  r  is  rational,  then  pj  =  p2k  1  ,  /(  for  1  <  j  <  2k  1  —  1  [28]. 

Proof.  Since  £2*  *+/  =  —  £z  for  0  <  l  <  2k  1  —  1,  we  can  write  every  element 
z  of  the  cyclotomic  field  Q(£)  as 

2k~ 1  —  1 

z=  £  M',  A/eQ,0</<2M-l. 

1=0 

As  [Q(£)  :  Q]  —  <p(q)  =  2A'_1  (<p  is  Euler’s  totient  function),  the  set 
{1,  £,...,  £2^  1-1 }  is  a  basis  of  Q(£).  Since 

<7-1  2k~l-\ 

0  =  £  Pi?  -  r  =  (po  -  p2*-i  -0+  £  (Pj  -  p2k~ 1  +j ) 

Z=0  Z=1 

the  assertion  of  the  lemma  follows.  ■ 


Proposition  5.9.  [28]  Let  n  =  2m  be  even,  and  for  a  function  /:¥„—>•  Z2a-  and 
u  G  ¥„,  /<?f  /u(x)  =  /(x)  +  2^_1(u  ■  x),  and  let  lr-l)  =  |x  G  ¥„  :  /u(x)  =  j}\, 
0  <  ./  <  2k  —1.  r/ic/7  /  A  ^benl  if  and  only  if  for  all  u  G  ¥„  t/zere  cw/.v/.s  an 
integer  pu,  0  <  pu  <  2^_1  —  1  such  that 


+Pu 


^  ± 2'”  and  b2?-i+j  =  bf\f°r  °<j<2k  1  -  Pu- 


Proof  First  suppose  that  /  is  gbent.  Then  by  Theorem  5.7,  /  is  a  regular  gbent 
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function.  Hence 


2—1 


J4ff(u)  =  £  £/(x)(-l)u'x=  £  C/(x)+2"'1(u'x)=^/u(0)=  £  ^U)C;'  =  2WC 


xe¥„ 


xeV„ 


7=0 


for  some  0  <  r  <  —  1.  With  pu  =  r  if  0  <  r  <  2k  1  —  1,  and  pu  —  r  —  2k  1 

otherwise,  the  claim  follows  from  Lemma  5.8. 

The  converse  statement  is  verified  in  a  straightforward  manner  [28].  ■ 


We  now  can  present  connections  between  gbent  functions  and  their  compo- 

'yk 

nents  for  the  general  case  of  gbent  functions  in  #ai,k>  i.  This  generalizes 
the  corresponding  results  for  k  =  2  and  k  —  3  in  [42]  and  in  [44]. 

Theorem  5.10.  [28]  Let  n  be  even,  and  let  /(x)  be  a  gbent  function  in  , 
k  >  1,  (uniquely)  given  as 

/(x)  =  ai(x)  +2a2(x)  4 - f  2k~2ak_i(x)  +  2k~lak(x), 

at  G  PSn,  l  <i  <k.  Then  all  Boolean  functions  of  the  form 

gc(x)  =  c\a\ (x)  © c2a2(x)  ©  •  •  •  ®ck_iak_i(x)  ffia*(x), 
c  =  (ci,C2, . .  -  ,Ck-  i)  G  Fj-1,  are  bent  functions. 

Proof  As  in  Proposition  5 .9,  for  the  gbent  function  /  we  denote  by  /u  the  func¬ 
tion  /u(x)  —  a  \ (x)  -| - \-2k~2ak_i(x)  +  2k~1  (ak(x)  +  u  ■  x)  in  £f^2\  Again, 

the  integer  b^ ,  0  <  r  <  2k  —  1 ,  is  defined  as  b[u)  —  |  {x  G  ¥„  :  /u (x)  =  r}  | .  By 
Proposition  5.9,  All,9Jt  =  b[u]  for  all  0  <  r  <  2k~ 1  —  1,  except  for  one  element 
pu  G  {0, . . . ,  2k~l  —  1}  depending  on  u,  for  which  b^+r)k_1  =  bp'J  ±  2,!/2. 

Since  it  is  somewhat  easier  to  follow,  we  first  show  the  bentness  of  ak(x)  = 
go(x)-  In  the  second  step  we  show  the  general  case.  For  r  pu,  0  <  r  < 

2k~l  —  1,  consider  all  x  G  V„  for  which  ©(x)  -| - b2A'~2©_i(x)  —  r.  Since 

b^l 2k~\  =  blu) ,  for  exactly  half  of  these  x  we  have  ©(x)  +  u  •  x  =  0  (note  that 
the  number  of  these  x  must  be  even).  Among  all  x  G  V„  for  which  ©(x)  + 
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- b  2k~2ak_i(x)  =  pu,  there  are  bftj  for  which  ak(x)  +  u  •  x  =  0,  and  there 

are  b"\2k  ,  —  b$  ±  2'!/2  for  which  ak(x)  +  u  •  x  =  1.  Hence  for  the  Walsh- 
Hadamard  transform  of  a k  we  get 

Wak{ u)  =  £  (_1)«*W©u-x  =  ±2»/2} 

xe¥„ 


which  shows  that  %  is  bent. 

To  show  that  gc  is  bent  for  every  c  G  1 ,  we  write  /u(x),  u  G  V„,  as 

/a(x)  =  cifl1(x)d - f  cjt_i2*_2a*_i(x)  +  ciai(x)  H - Fc*_i2*_2a*_i(x) 

+  2 k~l(ak{x)  +u-x)  :=  h(x)  +h(x)  +2k~1(ak{x)  +  u-x), 

where  c  —  c©  1.  Note  that  every  0  <  r  <  2*_1  —  1  in  the  value  set  of  a i(jc)  + 

- f2fc"2ajt-2(x)  has  then  a  unique  representation  as  h(x)  +  h(x).  Consider  x 

for  which  h(x)  +  h(x)  —  r  +  s  /  pu .  Again  from  b'"-^  1  =  b\u]  we  infer  that 
for  half  of  those  x  we  have  ak(x)  ©  u  •  x  =  0.  Hence  also 

gc(x)  © u  •  x  =  C\a\  (x)  ©  •  •  •  ©  Ck_\ak_\ (x)  ©  ak(x)  © u  •  x  =  0 

for  exactly  half  of  those  x.  (Observe  that  h(x i)  =  h{x.i)  =  r  implies  c \  a  \  (xi)  © 
•  •  •  ©  ck-\ak-\(x.\)  —  c\a\{x2)  ®  ■■■  ®  ck-\ak-\{x2).)  Similarly  as  above, 
among  all  x  G  V„  for  which  h(x)  +h(x)  =  pu,  there  are  bp''  for  which 
ak(x)  ©u-x  =  0,  and  there  are  /?(u)  k_l  =  b^  ±2"/2  for  which  ak(x)  ©u-  x  =  1. 
From  this  we  conclude  that  |{x  G  ¥„  :  h(x)  +  h(x)  —  pfiand/u(x)  =  1 }  |  —  |  {x  G 
¥„  :  h(x)  +h{x)  =  p„and/u(x)  =  0} |  =  ©2'1/2.  Therefore 

Wgc(  u)  =  £(-1)&W+u-x  =  ±2«/2} 

xe¥„ 


and  gc  is  bent  [28].  ■ 

Theorem  5.10,  which  assigns  to  a  gbent  function  an  affine  space  of  bent  func- 

'yk 

tions,  provides  a  necessary  condition  for  a  function  /  G  -^Sn  to  be  gbent.  For 
k  >  2  the  condition  is  not  sufficient  [28]. 
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CHAPTER  6: 

Conclusion  and  Future  Research 


Set  your  course  by  the  stars,  not  by  the 
lights  of  every  passing  ship. 

Omar  N.  Bradley***** 


6.1  Conclusion 

In  this  dissertation  we  investigated  generalized  Boolean  function  which  were  correlation 
immune,  satisfied  various  avalanche  features,  and  which  were  generalized  bent.  We  pre¬ 
sented  several  construction  techniques  for  order  1  and  higher  correlation  immune  general¬ 
ized  Boolean  functions,  and  also  established  new  avalanche  criteria  for  generalized  Boolean 
functions.  The  goal  of  this  research  has  been  to  increase  our  understanding  of  the  inherent 
attributes  of  generalized  Boolean  functions  so  that  we  are  capable  of  making  prudent  de¬ 
sign  choices  when  selecting  these  functions  as  components  in  future  encryption  schemes. 
Along  the  way  we  discovered  several  parallels  between  these  functions  and  their  Boolean 
counterparts,  but  oftentimes  saw  that  things  become  more  complicated  when  operating  in 
a  q-&xy  environment.  In  particular,  we  showed  that  while  the  Wash-Hadamard  transform 
is  an  outstanding  tool  for  establishing  whether  or  not  Boolean  functions  satisfy  certain 
cryptographic  properties  such  as  balance  and  correlation  immunity,  its  utility  is  somewhat 
diminished  in  the  more  generalized  setting.  One  area  of  concern  which  we  attempted  to 
address  was  the  potential  of  adversaries  carrying  out  what  we  termed  was  a  “decomposi¬ 
tion  attack”  whereby  they  perform  a  binary  expansion  of  the  r/-ary  functional  outputs  in 
an  attempt  to  discover  weaknesses  in  the  underlying  Boolean  function  components.  We 
showed  that  correlation  immune  generalized  Boolean  functions  will  not  succumb  to  such 
techniques,  but  that  when  it  comes  to  avalanche  criteria,  more  care  must  be  taken.  One 
family  of  generalized  Boolean  functions  which  we  believe  shows  particular  promise  are 
those  that  satisfy  the  uniform  avalanche  criterion.  These  functions  are  both  probabilistic 
SAC  as  well  as  1 -resilient  (order  1  correlation  immune  and  balanced).  Moreover,  their  con- 
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stituent  Boolean  functions  are  guaranteed  to  also  be  resilient  and  SAC,  thus  making  these 
functions  resistant  to  decomposition  attacks  targeting  these  properties.  Like  many  things 
in  cryptography,  trade-off  and  compromises  abound.  While  generalized  Boolean  functions 
will  most  likely  find  their  rightful  place  in  certain  applications,  they  will  equally  likely 
prove  unsuitable  for  others. 

6.2  Future  Research 

We  briefly  investigated  linear  structures  and  directional  derivatives  of  UAC  compliant  gen¬ 
eralized  Boolean  function,  demonstrating  the  utility  in  ensuring  that  equal  probabilities 
exist  among  the  unit  vectors  when  the  generalized  Boolean  function’s  derivatives  equals 
zero.  It  would  be  interesting  in  future  research  to  further  investigate  linear  structures  of 
generalized  Boolean  functions,  including  the  Meier  and  Staffelbach  approach  of  perfect 
nonlinear  generalized  Boolean  functions  [30],  as  well  as  a  notion  of  almost  perfect  non¬ 
linear  ( APN )  for  generalized  Boolean  functions.  We  would  also  like  to  find  a  proof  of 
Conjecture  2.26  and  thus  prove  that  there  can  be  no  symmetric  and  balanced  generalized 
Boolean  functions. 
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APPENDIX  A: 

Table  of  Nontrivial  Binomial  Bisections 


The  following  table  of  nontrivial  bisection  solutions  is  a  copy  of  the  table  which  appears 
in  the  coauthored  paper  Bisecting  binomial  coefficients  which  was  published  in  the  journal 
Discrete  Applied  Mathematics  [27]. 

The  table  contains  the  complete  set  of  nontrivial  bisection  solution  vectors  for 
1  <  n  <  50.  In  the  interest  of  saving  space,  we  only  list  the  highest  lexico¬ 
graphically  occurring  solutions.  Any  additional  solutions  which  a  listed  solu¬ 
tion  may  yield,  can  be  generated  in  the  following  manner:  If  a  pair  of  bits  are 
equidistant  from  the  center  of  the  given  vector  and  differ,  they  may  both  be 
negated  to  produce  a  new  solution.  Additionally,  any  solution  vector  can  also 
be  reversed  and  negated  in  its  entirety  to  produce  yet  another  solution  [27]. 
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Table  A.l:  Nontrivial  binomial  bisections 


n 

number  of  solutions 

nontrivial  solution  vectors 

8 

4 

100110001 

13 

16 

11110011001000 

14 

4 

101001101000101 

8 

101011100100101 

20 

4 

101010011010100010101 

24 

32 

10001 101 1 101 1000100010001 

16 

1011001111010100101000101 

26 

4 

101010100110101010001010101 

29 

2048 

11111111011101 10001 10010000000 

31 

512 

111101 1001 1 1 1 1 100010101000001000 

128 

111101 100101 10011001 100000001000 

32 

4 

101010101001101010101000101010101 

33 

16384 

111111111111 1001 101001000000000000 

34 

64 

10101001110110111010000000110010101 

32 

10101001110111101010010000110010101 

16 

10101001111100111010000110110010101 

8 

10101001111101101010010110110010101 

8 

10101010101011011010001010101010101 

35 

8 

101010101010100111001001010101010101 

16 

101010101011100111001000110101010101 

38 

4 

101010101010011010101010100010101010101 

32 

101111110010111110100011100010011011101 

41 

2048 

1111110111 10101001 1 1 1000100100001 1 10100000 

4096 

11111101111011 1001 1 1 1000100010001 1 10100000 

8192 

11111111111 10010101 1 1001000100100010100000 

16384 

11111111111101 10101 1 1001000010100010100000 

44 

4 

101010101010100110101010101010001010101010101 

128 

101011111000111111110110000011011000110110101 

47 

1048576 

111111111111 1101001 1 1 1 1 1000001000000100000000000 

48 

4096 

101 1001 1 1 101 101 10101 1 1010101000000000001000000101 

50 

4 

101010101010101001101010101010101000101010101010101 
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APPENDIX  B: 
Binomial  Bisection  Program 


The  following  parallel  computer  program  written  in  Julia  was  created  by  the  dissertation 
author  to  exhaustively  search  for  all  nontrivial  bisection  solutions.  The  code  was  run  on  the 
Hamming  high  performance  computer  (HPC)  at  the  Naval  Postgraduate  School,  and  found 
all  nontrivial  binomial  bisections  for  n  <  51  (see  Appendix  A.l).  In  addition  to  the  cited 
paper,  these  research  results  also  contributed  to  the  integer  sequence,  for  37  <  n  <  51,  of 
the  total  number  of  binomial  bisection  (trivial  and  nontrivial)  which  appears  as  A200147  in 
the  Online  Encyclopedia  of  Integer  Sequences. 

using  MPI 

function  bisect(n,  q,  p,  r) 

#  typealias  BInt_t  UInt8 

#  typealias  BInt_t  UIntl6 

#  typealias  BInt_t  UInt32 
typealias  BInt_t  UInt64 

#  typealias  BInt_t  UIntl28 


@  assert 

Bint. 

_t 

!=  UInt8 

1  1  n 

< 

8 

@  assert 

Bint. 

_t 

!=  UInt 1 6 

1  1  n 

< 

16 

@  assert 

Bint. 

_t 

!=  UInt32 

1  1  n 

< 

32 

@  assert 

Bint. 

_t 

!=  UInt64 

1  1  n 

< 

64 

@  assert 

Bint. 

_t 

!=  UInt  128 

1  1  n 

< 

128 

comm  =  MPI . (I)MM_WORLD 
root  =  0 

rank  =  MPI .  Comm_rank( comm) 
size  =  MPI .  Comm_size  (comm) 
const  procs  =  q 
const  pgms  =  p 
const  pgm_inst  =  r 
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const  stride  ::  BInt_t  =  In  t  (2  A(  n  +  1 )/(  proc  s  *pgms  ) ) 
#Set  target  value 

const  bisect_sum  =  BInt_t  (2) A(n  — 1) 

#Set  vector  center 

const  center  =  div(n+l,2) 

#Set  lower  Hamming  weight  boundry 
if  n  <=4 

lwr_wt  =  0 
elseif  4  <  n  <=  6 
lwr_wt  =  2 
elseif  7  <=  n  <=  8 
lwr_wt  =  3 
elseif  8  <  n  <=  10 
lwr_wt  =  4 
elseif  10  <  n  <=12 
lwr_wt  =  5 

else 

m  =  Int(ceil(log(2,n))) 

lwr_wt  =  Int  (  ceil  ( log  (2  ,m)))  +  m 

end 

#Set  upper  Hamming  weight  boundry 
if  n  <=4 

upr_wt  =  n+1 

else 

upr_wt  =  n— lwr_wt  +  l 

end 

#C  reate  binary  coefficients  array 

bin_coef  =  Array  (BInt_t  ,  n+1) 
for  j  =  l:n+l 
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@inbounds  bin_coef[j]  =  binomial  (  big  (n)  ,j  — 1) 

end 

#Initialize  solution  containers 
solns  =  [] 
count  =  0 


function  gather(obj,  root::  Integer,  comm  ::  MPI .  Comm) 

buf  =  Array  ( typeof  (  obj  )  ,  MPI.  Comm_size(comm)) 


else 


Comm_rank  ( comm ) 

! =  root) 

MPI .  send  (  obj  , 

root  ,  666,  comm) 

for  r  =  0 :  MPI . 

Comm_size  (comm)  —  1 

if  r  ! 

=  root 

rmesg  =  MPI.recv(r, 
buf[r  +  l]  =  rmesg  [1] 

else 

buf  [  r  + 1  ]  =  obj 

end 

end 

end 


buf 

end 


#Test  for  symmetry 
function  sym_test(f) 
i  =  1 

@inbounds  while  i  <=  center 

if  f [ i ]  !=  f [ n+2— i ] 
return  0 
break 

else 

i  +=  1 

end 
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end 


return  1 

end 

#Eliminate  vectors 
function  test(f) 

issym  =  true 

j=l 

while  j  <=  center 

if  f [ j ]  ==  1  &&  f [n+2 
return  0 

e  1  s  e  i  f  issym  &&  f  [  j  ] 
issym  =  false 
end 

J  +=  1 
end 

if  issym  &&  f [  1  ]  ==  1 
return  0 
end 

return  1 
end 

#Generate  solution  vectors 
function  gen_sol(f) 
if  sym_test(f)  ==  1 
count  +=  2 
else 

J  =  o 

for  i  =  1 :  c e n t e r 

if  f[i]  != 

j  + 

end 

end 

count  +=  2Aj 


-j]  ==  o 

!=  f [n+2— j  ] 


f [ n+2— i ] 
=  1 
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end 

end 

#Check  candidate  vectors 
f  =  zeros  (  BInt_t  ,  n  +  1); 

BInt_zero  =  Blnt_t(0) 

BInt_one  =  BInt_t(l) 

start  ::  BInt_t  =  pgm_inst  *(  procs  *  s  t r  i  de  )  +  (rank*  stride  )  +  1 
stop::BInt_t  =  (start  +  stride)  —  1 

for  s  =  start  :  stop 
sum_f  =  BInt_zero 
for  i  =  l:n+l 

tmp  =  s  &  BInt_one 
s  =  s  »  1 
f  [  i  ]  =  tmp 
sum_f  +=  tmp 
if  sum_f  >=  upr_wt 
break 

end 

end 

if  lwr_wt  <  sum_f  <  upr_wt 
if  test(f)  ==  1 

my_sum  =  Blnt_t(0) 
for  k  =  1 : n+1 
if  f[k]  ==  1 

my_sum  +=  bin_coef[k] 

end 

if  my_sum  >  bisect_sum 
break 

end 

end 


125 


if  bisect_sum  ==  my_sum 
p  ri  n  tl  n  ( round  ( Int  ,f)) 
gen_sol ( f ) 

end 

end 

end 

end 

gcount  =  g  ather  ( count  ,  root,  comm) 
i  f  (  rank  ==  root ) 

num_sol  =  sum(  gcount) 

println("N  =  ",n,  "  Section  =  ",pgm_inst,  Number  of  Bisections 
num_sol ) 

end 

end 
1  e  t 

MPI .  Init  () 
n  =  5 1 
q  =  64 
p  =  64 
r  =  53 

i  f  (MPI .  Comm_rank (MPI  .(X)MM_WORLD)  ==  0) 
tic  () 
end 

bisect(n,  q,  p,  r) 

i  f  (MPI .  Comm_rank (MPI  .(X)MM_WORLD)  ==  0) 
toe  () 
end 

MPI .  Finalize  ( ) 
end 
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APPENDIX  C: 

Some  Linear  Orthogonal  Arrays  for  Higher  Order 
Correlation  Immune  Generalized  Boolean  Function 

Constructions 


The  following  (incomplete)  list  of  linear  orthogonal  arrays  which  are  suitable  for  construct¬ 
ing  higher  order  correlation  immune  generalized  Boolean  functions  using  the  method  out¬ 
lined  in  Algorithm  4,  have  been  compiled  using  data  from  Hedayat,  Sloane  and  Stufken’s 
book  on  orthogonal  arrays  [19]  as  well  as  the  Sloan  online  database  of  orthogonal  ar¬ 
rays  [41]. 


OA(8,5,2,2): 

OA(8,7,2,2): 

OA(  16,8,2,3): 

OA(16,8,2,3): 

00000 

0000000 

00000000 

00000000 

10011 

1010101 

01010101 

00101110 

01010 

0110011 

00110011 

01010110 

00101 

1100110 

01100110 

01111000 

11001 

0001111 

00001111 

10011010 

10110 

1011010 

01011010 

10110100 

01111 

0111100 

00111100 

11001100 

11100 

1101001 

01101001 

11100010 

11111111 

11111111 

10101010 

11010001 

11001100 

10101001 

10011001 

10000111 

11110000 

01100101 

10100101 

01001011 

11000011 

00110011 

10010110 

00011101 
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OA(128,9,2,5): 


000000000 

010000010 

110000001 

100000011 

111000000 

101000010 

001000001 

011000011 

100100000 

110100010 

010100001 

000100011 

011100000 

001100010 

101100001 

111100011 

010010000 

000010010 

100010001 

110010011 

101010000 

111010010 

011010001 

001010011 

110110000 

100110010 

000110001 

010110011 

001110000 

011110010 

111110001 

101110011 

110001000 

100001010 

000001001 

010001011 

001001000 

011001010 

111001001 

101001011 

010101000 

000101010 

100101001 

110101011 

101101000 

111101010 

011101001 

001101011 

100011000 

110011010 

010011001 

000011011 

011011000 

001011010 

101011001 

111011011 

000111000 

010111010 

110111001 

100111011 

111111000 

101111010 

001111001 

011111011 

100000100 

110000110 

010000101 

000000111 

011000100 

001000110 

101000101 

111000111 

000100100 

010100110 

110100101 

100100111 

111100100 

101100110 

001100101 

011100111 

110010100 

100010110 

000010101 

010010111 

001010100 

011010110 

111010101 

101010111 

010110100 

000110110 

100110101 

110110111 

101110100 

111110110 

011110101 

001110111 

010001100 

000001110 

100001101 

110001111 

101001100 

111001110 

011001101 

001001111 

110101100 

100101110 

000101101 

010101111 

001101100 

011101110 

111101101 

101101111 

000011100 

010011110 

110011101 

100011111 

111011100 

101011110 

001011101 

011011111 

100111100 

110111110 

010111101 

000111111 

011111100 

001111110 

101111101 

111111111 
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OA(16,15,2,2): 

000000000000000 

101010101010101 

011001100110011 

110011001100110 

000111100001111 

101101001011010 

011110000111100 

110100101101001 

000000011111111 

101010110101010 

011001111001100 

110011010011001 

000111111110000 

101101010100101 

011110011000011 

110100110010110 


OA(16,15,2,2): 

000000000000000 

101010101010101 

011001100110011 

110011001100110 

000111100001111 

101101001011010 

011110000111100 

110100101101001 

000000011111111 

101011010101001 

011001111001100 

110010110011010 

000111111110000 

101100110100110 

011110011000011 

110101010010101 


OA(16,15,2,2): 
000000000000000 
101010101010101 
011001100110011 
110011001100110 
0001 1 1 100001 1 1 1 
101101001011010 
011110000111100 
110100101101001 
000000011111111 
000111111110000 
011010111001010 
011101011000101 
101011010101001 
101100110100110 
110001110011100 
110110010010011 
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OA(16,15,2,2): 

OA(16,15,2,2): 

OA(32,16,2,3): 

000000000000000 

000000000000000 

0000000000000000 

101010101010101 

101010100001111 

0101010101010101 

011001100110011 

011001100110011 

0011001100110011 

110011001100110 

110011001010101 

0110011001100110 

000111100001111 

000111100111100 

0000111100001111 

101101001011010 

101101001100110 

0101101001011010 

011110000111100 

011110001101001 

0011110000111100 

110100101101001 

110100101011010 

0110100101101001 

000000011111111 

000000011111111 

0000000011111111 

001011111101000 

101010111110000 

0101010110101010 

010111011010001 

011001111001100 

0011001111001100 

011100111000110 

110011010101010 

0110011010011001 

100101110110100 

000111111000011 

0000111111110000 

101110010100011 

101101010011001 

0101101010100101 

110010110011010 

011110010010110 

0011110011000011 

111001010001101 

110100110100101 

0110100110010110 

1111111111111111 

1010101010101010 

1100110011001100 

1001100110011001 

1111000011110000 

1010010110100101 

1100001111000011 

1001011010010110 

1111111100000000 

1010101001010101 

1100110000110011 

1001100101100110 

1111000000001111 

1010010101011010 

1100001100111100 

1001011001101001 
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OA(32, 16,2,3): 
0000000000000000 
0101010101010101 
0011001100110011 
0110011001100110 
0000111100001111 
0101101001011010 
0011110000111100 
0110100101101001 
0000000011111111 
0101011010101001 
0011001111001100 
0110010110011010 
0000111111110000 
0101100110100110 
0011110011000011 
0110101010010101 
1111111111111111 
1010101010101010 
1100110011001100 
1001100110011001 
1111000011110000 
1010010110100101 
1100001111000011 
1001011010010110 
1111111100000000 
1010100101010110 
1100110000110011 
1001101001100101 
1111000000001111 
1010011001011001 
1100001100111100 
1001010101101010 


OA(32,16,2,3): 
0000000000000000 
0101010101010101 
0011001100110011 
0110011001100110 
00001 1 1 100001 1 1 1 
0101101001011010 
0011110000111100 
0110100101101001 
0000000011111111 
0000111111110000 
0011010111001010 
0011101011000101 
0101011010101001 
0101100110100110 
0110001110011100 
0110110010010011 
1111111111111111 
1010101010101010 
1100110011001100 
1001100110011001 
1 1 1 100001 1 1 10000 
1010010110100101 
1100001111000011 
1001011010010110 
1111111100000000 
1 1 1 1000000001 1 1 1 
1100101000110101 
1100010100111010 
1010100101010110 
1010011001011001 
1001110001100011 
1001001101101100 


OA(32,16,2,3): 

0000000000000000 

0101010101010101 

0011001100110011 

0110011001100110 

0000111100001111 

0101101001011010 

0011110000111100 

0110100101101001 

0000000011111111 

0001011111101000 

0010111011010001 

0011100111000110 

0100101110110100 

0101110010100011 

0110010110011010 

0111001010001101 

1111111111111111 

1010101010101010 

1100110011001100 

1001100110011001 

1111000011110000 

1010010110100101 

1100001111000011 

1001011010010110 

1111111100000000 

1110100000010111 

1101000100101110 

1100011000111001 

1011010001001011 

1010001101011100 

1001101001100101 

1000110101110010 
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OA(32, 16,2,3): 
0000000000000000 
0101010100001111 
0011001100110011 
0110011001010101 
0000111100111100 
0101101001100110 
0011110001101001 
0110100101011010 
0000000011111111 
0101010111110000 
0011001111001100 
0110011010101010 
0000111111000011 
0101101010011001 
0011110010010110 
0110100110100101 
1111111111111111 
1010101011110000 
1100110011001100 
1001100110101010 
1111000011000011 
1010010110011001 
1100001110010110 
1001011010100101 
1111111100000000 
1010101000001111 
1100110000110011 
1001100101010101 
1111000000111100 
1010010101100110 
1100001101101001 
1001011001011010 
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OA(64,32,2,3): 

00000000000000000000000000000000 
01010101010101010101010101010101 
001 1001 1001 1001 1001 1001 1001 1001 1 
01 1001 1001 1001 1001 1001 1001 1001 10 
000011 1 1000011 1 1000011 1 1000011 1 1 
01011010010110100101101001011010 
001 1 1100001 1 1100001 1 1100001 1 1100 
01101001011010010110100101101001 
0000000011 1 1 1 1 1 10000000011 1 1 1 1 1 1 
01010101101010100101010110101010 
00110011110011000011001111001100 
01 1001 101001 100101 1001 101001 1001 
000011 1 1 1 1 1 10000000011 1 1 1 1 1 10000 
01011010101001010101101010100101 
00111100110000110011110011000011 
01 101001 100101 1001 101001 100101 10 
000000000000000011 11111111111111 
01010101010101011010101010101010 
00110011001100111100110011001100 
01 1001 1001 1001 101001 1001 1001 1001 
000011 1 1000011 1 1 1 1 1 1000011 1 10000 
01011010010110101010010110100101 
001 1 1100001 1 11001100001 1 1100001 1 
01101001011010011001011010010110 
0000000011 1111111111111 100000000 
01010101101010101010101001010101 
00110011110011001100110000110011 
01 1001 101001 1001 1001 100101 1001 10 
000011 1 1 1 1 1 1000011 1 10000000011 1 1 
01011010101001011010010101011010 
001 1 11001100001 1 1100001 1001 1 1100 
01 101001 100101 10100101 1001 101001 


11111111111111111111111111111111 
10101010101010101010101010101010 
1 1001 1001 1001 1001 1001 1001 1001 100 
10011001100110011001100110011001 
1 1 1 100001 1 1 100001 1 1 100001 1 1 10000 
10100101101001011010010110100101 
1 100001 1 1 100001 1 1 100001 1 1 100001 1 
10010110100101101001011010010110 
1111111 1000000001 1 1 1 1 1 1 100000000 
10101010010101011010101001010101 
1 1001 100001 1001 1 1 1001 100001 1001 1 
10011001011001101001100101100110 
1 1 1 1000000001 1 1 1 1 1 1 1000000001 1 1 1 
10100101010110101010010101011010 
1 100001 1001 1 1 1001 100001 100111100 
10010110011010011001011001101001 
111111111111111 10000000000000000 
10101010101010100101010101010101 
1 1001 1001 1001 100001 1001 1001 1001 1 
10011001100110010110011001100110 
1 1 1 100001 1 1 1000000001 1 1 100001 1 1 1 
10100101101001010101101001011010 
1 100001 1 1 100001 1001 1 1 100001 1 1 100 
100101 10100101 1001 10100101 101001 
1111111 100000000000000001 1111111 
10101010010101010101010110101010 
1 1001 100001 1001 1001 1001 1 1 1001 100 
10011001011001100110011010011001 
1 1 1 1000000001 1 1 100001 1 1 1 1 1 1 10000 
10100101010110100101101010100101 
1 100001 1001 1 1 100001 1 1 1001 100001 1 
10010110011010010110100110010110 
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OA(64,32,2,3): 

00000000000000000000000000000000 
01010101010101010101010101010101 
001 1001 1001 1001 1001 1001 1001 1001 1 
01 1001 1001 1001 1001 1001 1001 1001 10 
000011 1 1000011 1 1000011 1 1000011 1 1 
01011010010110100101101001011010 
001 1 1100001 1 1100001 1 1100001 1 1100 
01101001011010010110100101101001 
0000000011 1 1 1 1 1 10000000011 1 1 1 1 1 1 
01010110101010010101011010101001 
00110011110011000011001111001100 
01 100101 1001 101001 100101 1001 1010 
000011 1 1 1 1 1 10000000011 1 1 1 1 1 10000 
0101 1001 101001 100101 1001 101001 10 
00111100110000110011110011000011 
01101010100101010110101010010101 
000000000000000011 11111111111111 
01010101010101011010101010101010 
00110011001100111100110011001100 
01 1001 1001 1001 101001 1001 1001 1001 
000011 1 1000011 1 1 1 1 1 1000011 1 10000 
01011010010110101010010110100101 
001 1 1100001 1 11001100001 1 1100001 1 
01101001011010011001011010010110 
0000000011 1111111111111 100000000 
01010110101010011010100101010110 
00110011110011001100110000110011 
01 100101 1001 10101001 101001 100101 
000011 1 1 1 1 1 1000011 1 10000000011 1 1 
0101 1001 101001 10101001 100101 1001 
001 1 11001100001 1 1100001 1001 1 1100 
01101010100101011001010101101010 


11111111111111111111111111111111 
10101010101010101010101010101010 
1 1001 1001 1001 1001 1001 1001 1001 100 
10011001100110011001100110011001 
1 1 1 100001 1 1 100001 1 1 100001 1 1 10000 
10100101101001011010010110100101 
1 100001 1 1 100001 1 1 100001 1 1 100001 1 
10010110100101101001011010010110 
1111111 1000000001 1 1 1 1 1 1 100000000 
10101001010101101010100101010110 
1 1001 100001 1001 1 1 1001 100001 1001 1 
10011010011001011001101001100101 
1 1 1 1000000001 1 1 1 1 1 1 1000000001 1 1 1 
10100110010110011010011001011001 
1 100001 1001 1 1 1001 100001 100111100 
10010101011010101001010101101010 
111111111111111 10000000000000000 
10101010101010100101010101010101 
1 1001 1001 1001 100001 1001 1001 1001 1 
10011001100110010110011001100110 
1 1 1 100001 1 1 1000000001 1 1 100001 1 1 1 
10100101101001010101101001011010 
1 100001 1 1 100001 1001 1 1 100001 1 1 100 
100101 10100101 1001 10100101 101001 
1111111 100000000000000001 1111111 
10101001010101100101011010101001 
1 1001 100001 1001 1001 1001 1 1 1001 100 
10011010011001010110010110011010 
1 1 1 1000000001 1 1 100001 1 1 1 1 1 1 10000 
10100110010110010101100110100110 
1 100001 1001 1 1 100001 1 1 1001 100001 1 
10010101011010100110101010010101 


134 


OA(64,32,2,3): 

00000000000000000000000000000000 
01010101010101010101010101010101 
001 1001 1001 1001 1001 1001 1001 1001 1 
01 1001 1001 1001 1001 1001 1001 1001 10 
000011 1 1000011 1 1000011 1 1000011 1 1 
01011010010110100101101001011010 
001 1 1100001 1 1100001 1 1100001 1 1100 
01101001011010010110100101101001 
0000000011 1 1 1 1 1 10000000011 1 1 1 1 1 1 
000011 1 1 1 1 1 10000000011 1 1 1 1 1 10000 
00110101110010100011010111001010 
00111010110001010011101011000101 
01010110101010010101011010101001 
0101 1001 101001 100101 1001 101001 10 
01 100011 1001 110001 100011 1001 1100 
01101100100100110110110010010011 
000000000000000011 11111111111111 
01010101010101011010101010101010 
00110011001100111100110011001100 
01 1001 1001 1001 101001 1001 1001 1001 
000011 1 1000011 1 1 1 1 1 1000011 1 10000 
01011010010110101010010110100101 
001 1 1100001 1 11001100001 1 1100001 1 
01101001011010011001011010010110 
0000000011 1111111111111 100000000 
000011 1 1 1 1 1 1000011 1 10000000011 1 1 
00110101110010101100101000110101 
00111010110001011100010100111010 
01010110101010011010100101010110 
0101 1001 101001 10101001 100101 1001 
01 100011 1001 11001001 110001 100011 
01101100100100111001001101101100 


11111111111111111111111111111111 
10101010101010101010101010101010 
1 1001 1001 1001 1001 1001 1001 1001 100 
10011001100110011001100110011001 
1 1 1 100001 1 1 100001 1 1 100001 1 1 10000 
10100101101001011010010110100101 
1 100001 1 1 100001 1 1 100001 1 1 100001 1 
10010110100101101001011010010110 
1111111 1000000001 1 1 1 1 1 1 100000000 
1 1 1 1000000001 1 1 1 1 1 1 1000000001 1 1 1 
11001010001101011100101000110101 
11000101001110101100010100111010 
10101001010101101010100101010110 
10100110010110011010011001011001 
10011 10001 10001 110011 10001 10001 1 
1001001 101 101 1001001001 101 101 100 
111111111111111 10000000000000000 
10101010101010100101010101010101 
1 1001 1001 1001 100001 1001 1001 1001 1 
10011001100110010110011001100110 
1 1 1 100001 1 1 1000000001 1 1 100001 1 1 1 
10100101101001010101101001011010 
1 100001 1 1 100001 1001 1 1 100001 1 1 100 
100101 10100101 1001 10100101 101001 
1111111 100000000000000001 1111111 
1 1 1 1000000001 1 1 100001 1 1 1 1 1 1 10000 
11001010001101010011010111001010 
11000101001110100011101011000101 
10101001010101100101011010101001 
10100110010110010101100110100110 
10011 10001 10001 101 10001 110011 100 
1001001 101 101 10001 101 1001001001 1 
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OA(64,32,2,3): 

00000000000000000000000000000000 
01010101010101010101010101010101 
001 1001 1001 1001 1001 1001 1001 1001 1 
01 1001 1001 1001 1001 1001 1001 1001 10 
000011 1 1000011 1 1000011 1 1000011 1 1 
01011010010110100101101001011010 
001 1 1100001 1 1100001 1 1100001 1 1100 
01101001011010010110100101101001 
0000000011 1 1 1 1 1 10000000011 1 1 1 1 1 1 
0001011111 101000000101 1 1 1 1 101000 
00101110110100010010111011010001 
001 1 1001 110001 100011 1001 110001 10 
0100101 1 101 101000100101 1 101 10100 
01011100101000110101110010100011 
01 100101 1001 101001 100101 1001 1010 
01110010100011010111001010001101 
000000000000000011 11111111111111 
01010101010101011010101010101010 
00110011001100111100110011001100 
01 1001 1001 1001 101001 1001 1001 1001 
000011 1 1000011 1 1 1 1 1 1000011 1 10000 
01011010010110101010010110100101 
001 1 1100001 1 11001100001 1 1100001 1 
01101001011010011001011010010110 
0000000011 1111111111111 100000000 
0001011111 10100011 101000000101 1 1 
00101110110100011101000100101110 
001 1 1001 110001 10110001 100011 1001 
0100101 1 101 10100101 101000100101 1 
01011100101000111010001101011100 
01 100101 1001 10101001 101001 100101 
01110010100011011000110101110010 


11111111111111111111111111111111 
10101010101010101010101010101010 
1 1001 1001 1001 1001 1001 1001 1001 100 
10011001100110011001100110011001 
1 1 1 100001 1 1 100001 1 1 100001 1 1 10000 
10100101101001011010010110100101 
1 100001 1 1 100001 1 1 100001 1 1 100001 1 
10010110100101101001011010010110 
1111111 1000000001 1 1 1 1 1 1 100000000 
1 1 101000000101 1 1 1 1 101000000101 1 1 
1 101000100101 1 101 101000100101 1 10 
1 10001 10001 110011 10001 10001 11001 
10110100010010111011010001001011 
10100011010111001010001101011100 
10011010011001011001101001100101 
10001 10101 1 1001010001 10101 1 10010 
111111111111111 10000000000000000 
10101010101010100101010101010101 
1 1001 1001 1001 100001 1001 1001 1001 1 
10011001100110010110011001100110 
1 1 1 100001 1 1 1000000001 1 1 100001 1 1 1 
10100101101001010101101001011010 
1 100001 1 1 100001 1001 1 1 100001 1 1 100 
100101 10100101 1001 10100101 101001 
1111111 100000000000000001 1111111 
1 1 101000000101 1 1000101 1111101000 
1 101000100101 1 1000101 1 101 1010001 
1 10001 10001 11001001 110011 10001 10 
10110100010010110100101110110100 
10100011010111000101110010100011 
10011010011001010110010110011010 
10001 10101 1 1001001 1 1001010001 101 
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